Threat Analysis Unit

Detection of Lateral Movement with the Sliver C2 Framework 

After appearing on the horizon 1.5 years ago, the C2 framework Sliver quickly gained popularity among pen testers and hackers. It is written in Golang, distributed as open source, and receives constant updates. The framework supports all the basic functionality one would need to control the victim’s machine. Both framework and implant are implemented in Golang, making development easier, and detection unfortunately more challenging. This blog post shows how attackers would use Sliver to move laterally in a corporate network and analyze the generated network traffic. 

Implant and Listener 

As with any C2 framework, the basic components communicating to each other are the implant and the listener: while the implant is the piece of code running on a compromised host, the listener is the back-end part of the attacker’s infrastructure. 

Setting up an HTTPS listener and generating an implant is a matter of two commands: https and generate (see Figure 1). The https command starts a web server, listening on port 443, whereas the generate command compiles an implant from the Golang source code and saves it on disk. 

Figure 1: Setting up a listener (1); generating an implant (2); engaging with the implant (3). 

The implant is then supposed to be executed on the victim’s machine. For the purpose of demonstration, we run it manually, skipping the step where it is delivered automatically, e.g., via a social engineering attack or an exploit. As shown in Figure 2, the implant OUTSTANDING_DOUBTER.exe immediately connects to the HTTPS listener, hosted on 169.254.180.1. As the net view command’s output shows in the same screenshot, the test network consists of 3 machines: a Windows 10 host (where the implant is now running), a Windows 7 host (the target), and a Windows Server 2019 host. 

Figure 2: Implant (OUTSTANDING_DOUBTER.exe), running on Windows 10. 

Lateral Movement 

Landing on a machine that resides within a corporate network is the first act in a series of events called lateral movement. The ultimate goal is to take control over the most important pieces of infrastructure, such as domain controllers and servers. This section explains how an attacker would use Sliver to move laterally, “jumping” from one host to another, using one of the existing features of the framework. 

To control the implant remotely, the attacker needs to join the session with the use command (#3 in Figure 1). The next step is to create a service implant, which will run as a system service on a remote system. The generate –format service command creates such an implant (#1 in Figure 3). Once that is done, it is now possible to perform the actual lateral propagation by executing the psexec command (#2 in Figure 3); this performs three steps at once: (1) it copies the service implant onto the remote system (the Windows 7 host, in our case), (2) creates a system service, and (3) then starts it. 

Figure 3: Generating a service implant (1); executing the implant on a remote system (2); engaging with the implant (3); showing information about the implant’s OS (4). 

The psexec command from Figure 3 executed the service implant as acidm.exe, which immediately connected to the HTTPS listener, hosted on 169.254.180.1 (see Figure 4). After popping up in the sessions list, the attacker can connect and take control of the implant via the use command (#3 in Figure 3). The info command shows that the implant is indeed running on the Windows 7 machine (#4 in Figure 3). 

Figure 4: Implant (acidm.exe), running as a service on Windows 7. 

Detection Opportunities 

While fingerprinting the C2 communication protocol is not always possible due to the presence of SSL, lateral movement attempts are much easier to detect. As shown in Figure 5, when moving laterally with the help of the psexec method, an attacker needs to copy an executable (1), initiate the CreateServiceW request (2), and then start the service with the StartServiceW call (3). This is by far the most popular way of penetrating a remote system, which has also been employed by Emotet’s SMB spreader (we covered it in detail in our blog post How to Replicate Emotet Lateral Movement). 

In such an operation, the remote service name, the service description, as well as the directory, to which the executable is uploaded, are configurable. Also, for every psexec execution Sliver generates a random file name (acidm.exe, in our case). Therefore, when building a robust detection signature of a lateral movement technique, it is important to rely on a sequence of events that don’t change, rather than detecting specific strings or binary sequences in the network traffic (e.g., the default service name “Sliver”, or the default target directory “Windows\Temp”). 

Figure 5: Network traffic of the lateral movement from Windows 10 (169.254.180.2) to Windows 7 (169.254.180.3) over SMB: copying an implant (1); creating a system service (2); starting the service (3). 

Besides relying on the embedded psexec, Sliver supports various other methods to move laterally using third-party components, which can be installed with the help of the armory command. The Armory, that is the Sliver alias and extension package manager, can install components such as SharpWMI, allowing remote process creation via WMI, ServiceMove-BOF, abusing the Windows Perception Simulation Service, and SCShell, which relies on ChangeServiceConfigA to run commands, and many others. 

All these methods require tailored detections as the techniques employed greatly differ. While we will dedicate a future blog post to systematically highlight more detection opportunities for specific attacks, it is still important to utilize an anomaly detection system that can help capture unknown threats. 

Conclusions 

In this blog post, we showed how an attacker may use Sliver to generate an implant, control it, and move laterally within a corporate network, and what network traffic this activity may generate. We have also pointed out the patterns that can be seen when these activities are carried out. 

There are three main ingredients of success for Sliver: 1) being open source; 2) frequency of releases; 3) non-over-engineered code that is just plain effective. It should be no surprise that Sliver is now the third most popular C2 framework on the market, after Cobalt Strike and Metasploit. We believe that this trend will continue, and the Sliver framework will be increasingly used in high-profile breaches. 

Artifacts 

You can download the PCAP file with the network traffic, that has been analyzed in the chapter Detection Opportunities, from our repository.