Threat Research

Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts

TheDFIR

In Dec 2023, an open directory hosting batch scripts for defense evasion and command and control was found. The tools disable security services, delete backups and logs, and installed malware like SystemBC, Sliver, and PoshC2 for persistent ransomware attacks. (Affected: Windows, Linux systems, Security sector)

Keypoints :

  • Open directory discovered hosting batch scripts targeting Windows and Linux systems for defense evasion and C2 payload delivery.
  • Scripts disable antivirus, scheduled tasks, SQL, Exchange, Hyper-V services, and clear event logs to avoid detection.
  • Backups and shadow copies are deleted to prevent system recovery, indicating ransomware-related activities.
  • Remote monitoring tool Atera Agent is targeted and removed by specific batch scripts.
  • Threat actors utilize well-known C2 frameworks Sliver and PoshC2, with infrastructure active since September 2023.
  • Additional tools used include Ngrok for proxying and SystemBC malware for recon and payload delivery.
  • Two Russian IP addresses with open directories continue to host malicious payloads and scripts.
  • Scripts perform persistent changes including disabling User Account Control, enabling remote desktop, and creating backdoor user accounts.
  • Extensive scripts stop, disable, and remove security services from multiple antivirus vendors.
  • Ten new Sigma detection rules were created from this research to aid detection of similar threats.

MITRE Techniques :

  • Accessibility Features (T1546.008) – Abusing accessibility tools to gain system control without authentication.
  • Account Access Removal (T1531) – Removing or disabling user accounts to evade detection.
  • Application Layer Protocol (T1071) – Use of web protocols like HTTP/HTTPS for C2 communication.
  • Asymmetric Cryptography (T1573.002) – Encryption usage in communication channels.
  • Clear Windows Event Logs (T1070.001) – Deletion of Windows event logs to cover tracks.
  • Deobfuscate/Decode Files or Information (T1140) – Decoding obfuscated PowerShell and scripts.
  • Disable or Modify Tools (T1562.001) – Disabling security tools like Windows Defender and Malwarebytes.
  • Disable Windows Event Logging (T1562.002) – Preventing Windows event logging service operation.
  • Encrypted Channel (T1573) – Using encrypted communication for C2.
  • Inhibit System Recovery (T1490) – Deleting backups and shadow copies to thwart recovery.
  • Modify Registry (T1112) – Changing registry keys for persistence, disabling UAC, and enabling RDP.
  • PowerShell (T1059.001) – Execution of PowerShell based droppers and payloads.
  • Proxy (T1090) – Utilizing Ngrok for proxying network traffic.
  • Python (T1059.006) – Use of Python dropper scripts for payload execution.
  • Registry Run Keys / Startup Folder (T1547.001) – Persistence via registry run keys.
  • Remote Access Software (T1219) – Installation and use of remote admin tools like Atera Agent.
  • Service Stop (T1489) – Stopping and disabling critical services to weaken defenses.
  • System Owner/User Discovery (T1033) – Querying logged-in sessions and user info.
  • Web Protocols (T1071.001) – Use of HTTP and HTTPS protocols for command and control.
  • Windows Command Shell (T1059.003) – Batch script execution for various system changes.

Indicator of Compromise :

  • The article includes IP addresses (94.198.53.143 and 185.234.216.64) linked to open directories hosting malicious payloads and C2 frameworks.
  • Hashes of batch scripts and executables such as atera_del.bat, Posh_v2_dropper_x64.exe, VmManagedSetup.exe (SystemBC malware), and WILD_PRIDE.exe (Sliver implant) are provided.
  • URLs and endpoint paths used by PoshC2 C2 communications are listed, useful for network detection of malicious traffic.
  • Evidence of ngrok tokens embedded in batch scripts indicative of proxy tunneling activity.
  • A text file ‘poshc2+user.txt’ describes creation of suspicious user accounts and RDP enabling commands.
  • Output of deletion commands targeting Windows event logs, volume shadow copies, and registry keys highlight key artifacts for host-based detection.

Read more: https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint