Full Report
From default ports to JA3S fingerprints
Analysis Summary
# Tool/Technique: Sliver C2 Framework
## Overview
Sliver is an open-source, cross-platform Command and Control (C2) framework written in Go. It is primarily used for adversary emulation and red teaming activities, but has also been widely adopted by malicious actors for real-world operations. The hunting methodology focuses on identifying its network infrastructure based on default ports and specific TLS fingerprints (JA3S).
## Technical Details
- Type: Tool / Framework (C2)
- Platform: Cross-platform (implied by "cross-platform adversary emulation/red team framework")
- Capabilities: Command and Control communication via implants, C2 communication over various protocols (HTTP/HTTPS), deployment of multiplayer servers.
- First Seen: Released publicly in 2019 by Bishop Fox.
## MITRE ATT&CK Mapping
Sliver, as a C2 framework, facilitates various stages of an attack lifecycle. The article focuses on its infrastructure discovery:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (for HTTP/HTTPS C2, default ports 80, 443)
## Functionality
### Core Capabilities
* **C2 Communication:** Supports C2 communication using default ports like 443 (HTTPS) and 80 (HTTP).
* **Alternative Ports:** Can utilize 8080 and 8888 for HTTP C2 traffic.
* **Multiplayer Server:** Features a default port of 31337 for its multiplayer server functionality.
### Advanced Features
* **JA3S Fingerprinting:** Enables identification based on unique TLS handshake characteristics (TLS version, Cipher, Server Hello parameters), specifically noting a characteristic fingerprint (`475c9302dc42b2751db9edcac3b74891`).
* **Certificate Pivoting:** Infrastructure can be identified through common names (CN) within SSL certificates, such as "operators" and "multiplayer".
## Indicators of Compromise
The article provides infrastructure indicators used for detection:
- File Hashes: Not explicitly provided in the summary, but linked samples exist on external resources.
- File Names: Not explicitly provided.
- Registry Keys: Not mentioned.
- Network Indicators:
- Default HTTPS C2 Port: 443
- Default HTTP C2 Ports: 80, 8080, 8888
- Default Multiplayer Server Port: 31337
- Alternate Multiplayer Port: 1337
- Example IP Address Observed: `54.38[.]52[.]14` (Target of the hunt)
- Certificate Common Names: `CN=operators`, `CN=multiplayer`
- Deduced JA3S Fingerprint: `475c9302dc42b2751db9edcac3b74891`
- Behavioral Indicators: Observation of SSH fingerprints across a cluster of hosts hosted within AS44477 (Stark Industries).
## Associated Threat Actors
The article does not definitively attribute active malicious use to specific named threat groups, but notes that the tool was "immediately adopted by malicious actors" and mentions a cluster of compromised infrastructure hosted under AS44477, an organization "known to be naughty."
## Detection Methods
* **Network Scanning/Monitoring:** Hunting for default Sliver ports (especially 31337, 1337).
* **TLS Analysis (JA3S):** Utilizing specific JA3S fingerprints in conjunction with certificate metadata for robust discovery, as this parameter is difficult for attackers to alter without source code modification.
* **Certificate Search:** Querying public internet scanners for hosts presenting certificates containing specific Common Names (e.g., "multiplayer").
* **Shodan/Censys Querying:** Leveraging multiple platforms to avoid missing deployments that might not advertise default ports.
## Mitigation Strategies
* **Network Segmentation:** Limiting inbound and outbound connections to only necessary ports and protocols.
* **TLS Inspection/Logging:** Deep packet inspection or TLS metadata analysis (JA3S) on network defenses to detect connections matching known C2 profiles.
* **Certificate Vigilance:** Monitoring for infrastructure using common C2-related certificate subjects.
## Related Tools/Techniques
Sliver is a C2 framework, related conceptually to other established C2 platforms (though not explicitly named in this text) such as Cobalt Strike, Metasploit, or Covenant. The detection technique directly relates to advanced TLS fingerprinting used against various malware families.