Fosstodon @fosstodon

0 posts0 participants0 posts today

**OTX Bot** @techbot@social.raytec.co · Apr 28

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Active Directory vulnerabilities. Persistence was maintained via AnyDesk, automated by a PowerShell script. Sliver C2 executables were used for command-and-control operations. The victims spanned multiple industries across Europe, North America, and South America, highlighting the affiliate's broad targeting scope. The toolkit included SonicWall Scanner, DonPAPI, Certipy, Zer0dump, and Pachine/noPac for various attack stages.

Pulse ID: 680f0738479d23f04a10d198
Pulse Link: https://otx.alienvault.com/pulse/680f0738479d23f04a10d198
Pulse Author: AlienVault
Created: 2025-04-28 04:42:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

#AnyDesk #CyberSecurity #Europe

**The New Oil** @thenewoil@mastodon.thenewoil.org · Feb 8

Feb 8

The New Oil @thenewoil@mastodon.thenewoil.org

Hackers exploit #SimpleHelp #RMM flaws to deploy #Sliver #malware

https://www.bleepingcomputer.com/news/security/hackers-exploit-simplehelp-rmm-flaws-to-deploy-sliver-malware/

BleepingComputer · Feb 6Hackers exploit SimpleHelp RMM flaws to deploy Sliver malwareBy Bill Toulas

#cybersecurity

**The Threat Codex** @threatcodex@infosec.exchange · Jan 5

Jan 5

The Threat Codex @threatcodex@infosec.exchange

Sliver C2 Hunt
#Sliver
https://intelinsights.substack.com/p/sliver-c2-hunt

Cyber Intelligence Insights · Jan 4Sliver C2 HuntBy Vasilis Orlof

**Habr** @habr@zhub.link · Dec 17, 2024

Dec 17, 2024

Habr @habr@zhub.link

Инструменты атакующих в 2023–2024 годах

На конференции OFFZONE 2024, которая прошла в Москве в культурном центре ЗИЛ 22–23 августа, выступил наш сотрудник Семён Рогачёв, руководитель отдела реагирования на инциденты. Он рассказал, какие инструменты сегодня чаще всего используются в кибератаках на российскую Linux- и Windows-инфраструктуру, и объяснил, как эффективно отлавливать и отражать подобные атаки. Мы написали текст по мотивам этого доклада, обогатив его данными за конец 2024 года. Статья будет полезна для тех, кто занимается пентестами и реагированием на инциденты.

https://habr.com/ru/companies/bastion/articles/862168/

ХабрИнструменты атакующих в 2023–2024 годахНа конференции OFFZONE 2024, которая прошла в Москве в культурном центре ЗИЛ, выступил наш сотрудник Семён Рогачёв, руководитель отдела реагирования на инциденты. Он рассказал, какие инструменты...

#GSocket #инструменты_хакеров #инструменты_для_атак_на_Linux

Continued thread

**Hunt & Hackett** @huntandhackett@mastodon.social · Apr 25, 2024

Apr 25, 2024

Hunt & Hackett @huntandhackett@mastodon.social

As a covert command-and-control (C2) framework, #Sliver manages and controls remote systems through communication channels. With its capabilities for information gathering and post-exploitation activities, it has become a go-to tool for APT29 and #ransomware groups alike. Discover why the Sliver framework has gained traction among threat actors and find out how we, at Hunt & Hackett, leverage the open-source forensics tool #Velociraptor to detect Sliver attack methods.

**Hunt & Hackett** @huntandhackett@mastodon.social · Apr 25, 2024 *

Apr 25, 2024 *

Hunt & Hackett @huntandhackett@mastodon.social

New #blog post!

In our latest blog, we explore methods to detect the #Sliver framework and explore how to hunt down threat actors like #APT29 (Cozy Bear) who have harnessed its power.

https://www.huntandhackett.com/blog/hunting-for-a-sliver

www.huntandhackett.comHunting for a Sliver in a haystackExplore how the Sliver framework is used by threat actors for covert control and information gathering. Learn about detection methods and hunting tactics in this insightful post.

Replied in thread

**𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲** @netresec@infosec.exchange · Apr 4, 2024

Apr 4, 2024

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @netresec@infosec.exchange

@jeromesegura Here's another #Sliver C2 server on 94.156.65.98:8443. It's also on @abuse_ch ThreatFox
https://threatfox.abuse.ch/ioc/1252442/

This second Sliver C2 has the same JA3/JA3S as the previous one.

C2 traffic to 94.156.65.98:8443 identified as Sliver C2 by CapLoader

Replied in thread

**𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲** @netresec@infosec.exchange · Apr 4, 2024 *

Apr 4, 2024 *

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 @netresec@infosec.exchange

@jeromesegura The C2 server seems to be running on 94.156.65.115:8443
JA3: 19e29534fd49dd27d09234e639c4057e
JA3S: f4febc55ea12b31ae17cfb7e614afda8
JA4: t13i190800_9dc949149365_97f8aa674fd9

That C2 is reported as #Sliver on ThreatFox
https://threatfox.abuse.ch/ioc/1253201/
#ThreatIntel

CapLoader flow transcript of C2 session to 94.156.65.115:8443

**Deadline** @deadline@mastodon.social · Mar 13, 2024

Mar 13, 2024

Deadline @deadline@mastodon.social

“I Have So Much Dirt On Her”: Billy Baldwin Fumes At Sharon Stone After Actress Names Producer Who Pressured Her To Sleep With ‘Sliver’ Co-Star
#Casting #News #BillyBaldwin #Paramount #SharonStone #Sliver

https://deadline.com/2024/03/sharon-stone-billy-baldwin-sliver-sex-allegation-1235857028/

Deadline · Mar 13, 2024“I Have So Much Dirt On Her”: Billy Baldwin Fumes At Sharon Stone After Actress Names Producer Who Pressured Her To Sleep With ‘Sliver’ Co-StarBy Jake Kanter

**Taylor Parizo** @taylorparizo@infosec.exchange · Mar 6, 2024

Mar 6, 2024

Taylor Parizo @taylorparizo@infosec.exchange

A guide to detect and defend against the sticky keys vulnerability, writing a sigma rule for it, AND a homelab guide by @eric_capuano to follow along? What a great project idea.
#SOC #Sliver #Sigma https://lifeaftersoc.substack.com/p/life-after-soc

Life After SOC · Mar 3, 2024Life After SOC - The Bad Guys Use Sticky Keys TooBy Vince

**Habr** @habr@zhub.link · Feb 22, 2024

Feb 22, 2024

Habr @habr@zhub.link

Практическое применение Sliver’ов для создания современного UI

Hola, Amigos! На связи Саша Чаплыгин, Flutter-dev агентства продуктовой разработки Amiga. В телеграм-канале Flutter. Много мы с командой уже касались темы Sliver'ов . И сегодня я предлагаю больше погрузиться в практику. В нашей текущей работе над приложением для сети пекарен, где множество интересных задач и вопросов интерфейса, я активно применяю Sliver'ы и другие виджеты. Давайте рассмотрим, как эти техники могут преобразить создание современного пользовательского интерфейса.

https://habr.com/ru/articles/794510/

ХабрПрактическое применение Sliver’ов для создания современного UIHola, Amigos! На связи Саша Чаплыгин, Flutter-dev агентства продуктовой разработки Amiga и соавтор телеграм-канала Flutter. Много . Мы уже касались темы Sliver'ов , а сегодня я предлагаю...

#flutter #flutter_mobile_development #flutter_app_development

**KyanHexagon** @KyanHexagon@infosec.exchange · Feb 16, 2024

Feb 16, 2024

KyanHexagon @KyanHexagon@infosec.exchange

https://github.com/icyguider/UAC-BOF-Bonanza

"This repository serves as a collection of public UAC bypass techniques that have been weaponized as BOFs. A single module which integrates all techniques has been provided to use the BOFs via the Havoc C2 Framework. A extension.json file has also been provided for each bypass technique for use in Sliver."

GitHubGitHub - icyguider/UAC-BOF-Bonanza: Collection of UAC Bypass Techniques Weaponized as BOFsCollection of UAC Bypass Techniques Weaponized as BOFs - icyguider/UAC-BOF-Bonanza

#hacking #pentesting #redteam

Continued thread

**Sekoia.io** @sekoia_io@infosec.exchange · Jan 24, 2024

Jan 24, 2024

Sekoia.io @sekoia_io@infosec.exchange

By example, a #Sliver C2
https://app.sekoia.io/intelligence/public/objects/indicator--0b42a4b8-fe8e-47d8-b32b-9cb4b4d6aca3

Continued thread

**Selena Larson** @selenalarson@mastodon.social · Jan 22, 2024

Jan 22, 2024

Selena Larson @selenalarson@mastodon.social

Example command used to execute the copied explorer.exe:

Scriptrunner.exe -appvscript %temp%\explorer.exe

This command executed the newly copied explorer.exe using the LOLBAS command "Scriptrunner.exe -appvscript" serving as an evasive maneuver. This explorer.exe is #Sliver.

Continued thread

**Selena Larson** @selenalarson@mastodon.social · Jan 22, 2024

Jan 22, 2024

Selena Larson @selenalarson@mastodon.social

The VHD contained an LNK, and executing the shortcut triggered commands to copy an executable from a WebDAV share. The copied executable was named 'explorer.exe,' and various methods were then used to run this executable, which, in turn, executed the #Sliver backdoor.

**Stephan Berger** @malmoeb@infosec.exchange · Jan 19, 2024

Jan 19, 2024

Stephan Berger @malmoeb@infosec.exchange

I recently tweeted about how useful strace can be. Here is an example of a quick malware triage.

I took a recent #Sliver sample mentioned here [1] from Baazar [2] and ran it with strace on a Linux host.

We immediately find the dst_ip and the dst_port of the Sliver sample (screenshot below), making strace an incredibly useful tool for a quick malware triage, especially when doing Incident Response, and we want to find out the C2 address of the malware.

Check out the little strace book for more insights into strace [3]

[1] https://twitter.com/SI_FalconTeam/status/1738217925616496923
[2] https://bazaar.abuse.ch/sample/f5ab886589558a8a265c216f6754d1477c19ca46d8ed4d57a1ee975c590e4aab/
[3] https://nanxiao.github.io/strace-little-book/

**HN Security** @hnsec@infosec.exchange · Dec 20, 2023

Dec 20, 2023

HN Security @hnsec@infosec.exchange

As we wrap up 2023, let's take a look back at the different topics we covered in our technical #blog this year.

Our #VulnerabilityResearch series expanded with some new writeups and coordinated disclosure advisories. We also provided practical advice and tooling to aid security researchers in effective #CodeReview using #Semgrep. There’s more in store on this topic: stay tuned for the latest updates.

Exploring various aspects of #OffensiveSecurity, we shared tools and methodologies for #RedTeaming, #WebPentesting, and #MobilePentesting. Don’t miss our popular series on customizing the #Sliver adversary emulation framework and extending #BurpSuite.

As we look forward to another year of research and community sharing, we wish you all happy holidays... and happy hacking!

https://security.humanativaspa.it/

hn securityhn securityOffensive Security Specialists

**Habr** @habr@zhub.link · Dec 18, 2023

Dec 18, 2023

Habr @habr@zhub.link

[Перевод] Иголка в стоге сена: ищем следы работы C2-фреймворка Sliver

Привет, Хабр, на связи лаборатория кибербезопасности компании AP Security! Не так давно на нашем канале вышла статья по использованию фреймворка постэксплуатации Sliver C2 от Bishop Fox. Сегодня мы представляем вам исследование компании Immersive Labs по детектированию и анализу нагрузок и туннелей взаимодействия Sliver. Этот С2 всё сильнее набирает популярность, а значит специалисты по реагированию на инциденты должны быть всегда готовы столкнуться лицом к лицу с новыми техниками и инструментами. Приятного прочтения!

https://habr.com/ru/articles/781478/

ХабрИголка в стоге сена: ищем следы работы C2-фреймворка SliverПривет, Хабр, на связи лаборатория кибербезопасности компании AP Security! Не так давно на нашем канале вышла статья по использованию фреймворка постэксплуатации Sliver C2 от Bishop Fox. Сегодня мы...

#soc #sliver #forensics