Detecting and decrypting Sliver C2 – a threat hunter’s guide

property
value
tags
c2,offensive-tradecraft,sliver-c2
url
original_word_count
2390

Article Excerpt

Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It’s written primarily in Go, making it fast, portable, and easy to customize.

Long Summary

Sliver is an open-source, cross-platform, and extensible C2 framework written in Go, making it fast, portable, and easy to customize. It has features catering to both beginner and advanced users, such as the ability to generate dynamic payloads for multiple platforms, such as Windows, Linux, and macOS. Sliver supports a wide range of communication protocols, including HTTP, HTTPS, DNS, TCP, and WireGuard, ensuring that C2 traffic is flexible, stealthy, and can blend in with normal network traffic. Team Cymru has observed an increase in Sliver’s popularity over recent months, and Microsoft and the UK’s NCSC have reported on how threat actors use Sliver to target large organizations.

To detect the presence of Sliver, the Immersive Labs CTI team has identified methods to detect Sliver through file, memory, and network artifacts. To capture all of the traffic and artifacts necessary for analyzing the implant, a specialized range was set up with high-fidelity log collection and EDR capabilities. An attacker’s infrastructure was also deployed, consisting of a single EC2 instance on a public IP address, with a Cloudflare configuration for the DNS. Sliver was then installed and the listeners for HTTP and DNS were started.

Analysis of the implant revealed that it was a compiled Go binary, making it extremely portable across multiple operating systems and architectures. Memory detection was easier as the entire Go binary must be unpacked into memory regardless of any packing of the binary or staged delivery. Canary domains were also used to detect the implant in binary files. Sliver has four main callback protocols: DNS, mTLS, WireGuard, and HTTP(S).

The process of extracting session keys from a Sliver C2 implant begins by using an EDR like Velociraptor to identify the running process for the implant. The process dump is then downloaded and scanned for the keys. The keys are derived from a SHA256 hash of random bytes, and the pattern of the key is 00 00 [32 bytes key] ?? ?? ?? 00 C0 00 00. To reduce the number of results, it is assumed that any given session key wouldn’t have a series of three sequential null bytes in it.

If the traffic is captured through packet capture, log capture (DNS), or even extracting fragments from process memory, there is enough information to decrypt the traffic. The sliver_pcap_parser.py script

Short Summary

📓 Detecting and decrypting Sliver C2 – a threat hunter’s guide

👉🏽 Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It’s written primarily in Go, making it fast, portable, and easy to customize. 👉🏽 Sliver is an open-source, cross-platform C2 framework written in Go. 👉🏽 It is fast, portable, and easy to customize for both beginners and advanced users. 👉🏽 Dynamic payloads can be generated for multiple platforms such as Windows, Linux, and macOS. 👉🏽 Supports a wide range of communication protocols, including HTTP, HTTPS, DNS, TCP, and WireGuard. 👉🏽 Allows C2 traffic to be flexible, stealthy, and blend in with normal network traffic. 👉🏽 Sliver has gained popularity among threat actors targeting large organizations. 👉🏽 Immersive Labs CTI team has identified methods to detect Sliver through file, memory, and network artifacts. 👉🏽 Sliver is a compiled Go binary making it extremely portable across multiple operating systems and architectures. 👉🏽 The process of extracting session keys from a Sliver C2 implant involves using an EDR like Velociraptor to identify the running process for the implant. 👉🏽 Traffic captured through packet capture, log capture (DNS), or memory fragments can be decrypted using the sliver_pcap_parser.py script.

#SliverFramework #C2 #ThreatDetection #CommunicationProtocols #SessionKeys