Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Sec...
Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection. We’ve seen these actors use Sliver with—or as a replacement for—Cobalt Strike. Given Cobalt Strike’s popularity as an attack tool, defenses against it have also improved over time. Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry.
First made public in late 2019 and advertised to security professionals, Sliver is an open-source framework that’s available on GitHub and includes many common C2 framework features such as support for multiple simultaneous operators, multiple listener types, user-developed extensions, and payload generation. Since December 2020, we’ve observed threat actors adopting Sliver into their arsenal.
Among its adopters is the prolific ransomware-as-service (RaaS) affiliate DEV-0237. More recently, we’ve seen cybercrime actors historically tied to human-operated ransomware now deliver Sliver and various post-compromise tools using Bumblebee malware (also known as COLDTRAIN) as an initial access loader. Customers can learn more about Bumblebee in our Threat Analytics report available in the Microsoft 365 Defender portal.
In this blog, we share how the researchers behind Microsoft Defender Experts for Hunting analyzed Sliver and used both lab-simulated attacks and real-world threat activity to create hunting queries to surface Sliver and other C2 frameworks.