Sliver an alternate tool for Cobalt Strike

Detecting and blocking the use of Cobalt Strike by adversaries are the main course of action for the security teams over the years, now they may also want to keep an eye out for “Sliver”, an open source C2 framework that adversaries have increasingly begun integrating into their attack chains.

Researchers from Microsoft warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with or often as a replacement for Cobalt Strike in various campaigns. Among them is DEV-0237, a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks.

Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, the framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments.

Sliver is written in the Golang, and can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as  Shellcode, Executable, Shared library/DLL, and as-a-Service.

Sliver also supports smaller payloads or stagers with a handful of features that allow operators to retrieve and launch a full implant. 

Sliver lowers the barrier of entry for attackers offering more customization in terms of payload delivery and ways of adapting attacks to evade defenses.

Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

More importantly it’s free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released.

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes.