What is Sliver?
Sliver (S0633) is an open-source post-exploitation and Command and Control (C2) framework. Like Cobalt Strike, it is a legitimate tool for red team testing, but it is also a powerful weapon for threat actors.
Sliver malware is designed to give remote control over compromised systems. Its modular design, where malware has a core component that can be updated with different plugins or modules, allows operators to execute commands, perform data exfiltration, and enable lateral movement across a network. This makes it a popular choice for adversaries.
How to Defend Against Sliver?
Defending against the malicious use of Sliver requires detecting its unique C2 communication and post-exploitation behaviors.
- Harden systems by minimizing your attack surface, using a tool like Lumu Discover.
- Use strong access controls to prevent the initial access required to deploy a Sliver implant.
- Deploy endpoint detection and antivirus to identify the specific behaviors of the implant, such as process injection and in-memory execution.
- Use network detection (NDR) like Lumu Defender to identify and block the characteristic C2 communications over protocols like DNS, HTTP/S, and TCP.
- Integrate threat intelligence from a platform like Lumu Maltiverse to proactively block known malicious Sliver C2 servers and infrastructure.
