Threat Actors Replacing Metasploit and Cobalt Strike with Sliver Framework

An increasing number of threat actors have started relying on the C2 framework Sliver as an open-source alternative to tools such as Metasploit and Cobalt Strike.

Though released in 2020, Sliver a Golong-based post exploitation framework  is gaining the popularity due to its modular capabilities using Armory, cross-platform support, and vast number of features. Already it’s been under use with known threat actors and malware families such as BumbleBee and APT29 -Cozy Bear.

Sliver Framework Architecture

• Server Console – The server console is the main interface, which is started when you run the sliver-server executable.
• Sliver C2 Server – The Sliver C2 server is also part of the sliver-server executable and manages the internal database, starts, and stops network listeners
• Client Console – The client console is the primary user interface that is used to interact with the Sliver C2 server.
• Implant – The implant is the actual malicious code run on the target system you want remote access to.

Sliver is designed as a second stage payload which, after deployment, gives the threat actor full access to the target system and the ability to conduct the next steps in the attack chain

An attack sequence leveraging the C2 framework could lead to privilege escalation, credential theft and lateral movement. A proof-of-concept attack showed that attackers could ultimately take over the domain controller to exfiltrate sensitive data.

The detection of Sliver C2 is possible as this framework creates specific signatures when executing Sliver-specific features. Detections and fingerprinting of the infrastructure server also exist and are listed in this article.

This research was documented by researchers from Cybereason.