Back

Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts

Aug. 12, 2024, 12:13 p.m.

Tags

evasion
sliver
2024-08-12
batch
poshc2
scripts

External References

https://otx.alienvault.com/

Description

An investigation by The DFIR report revealed a collection of batch scripts designed for defense evasion and executing command-and-control payloads. These scripts performed various actions, including disabling antivirus processes, stopping services related to SQL, Hyper-V, security tools, and Exchange servers, erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools. Additional tools like Ngrok, SystemBC, Sliver, and PoshC2 were also utilized. The threat actors have been active intermittently since September 2023, with the most recent activity detected in August 2024.

Date

Published Created Modified
Aug. 12, 2024, 11:45 a.m. Aug. 12, 2024, 11:45 a.m. Aug. 12, 2024, 12:13 p.m.

Indicators

fdc105ae79dff83f31777c6e047272c5b372251a3af49e20370e7ee9d1c70763

ea7dec8fa52d2300350367691ae2fbea13dbd5bf80d6b43b05eedf197529aa77

d97e2e5e6b23ee0f1efa7326d7ac3240a0df9770bf7c2992eec890f073c9cada

cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2

beb5022543a1e12e1f8f5ffe5d520e5fc9cf623aea512cfb43ea2f8c2897420c

b0056bef817408449470d3fa43e13cbc89cabdae795b1dc8cbe9905c5946f530

a668a98e57c03decf6ea76bb32f67f3f077ef2277e57f4117d44f4342977fddf

91d9c73b804aae60057aa93f4296d39ec32a01fe8201f9b73f979d9f9e4aea8b

87ab1707a553557b10fa721a32f053fbb40d11de6f692e96e067d03316fe530b

7e623f907b4a4c924cd8af3bf4b8df45b6f904723cbb26ec87cfe7792388afe1

6cff22a3ea7c054075b9aded5933587bf997623183539e10e426d103d604f046

63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d

5b43428452a867ad61554d763c8f19ca4cd8af8c31194304785e9e45f9258441

512beb7dfa9fdbc8be7fbf59c7bec7911296f9e36c8a3d3b95e7aef4a88bf09c

4106ce787cf73d7f8215311a241f0e42426301a5a2078da9e3349afade2df684

38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955

3691dbb1834db4eb8ef4c195d26779b87db267a56f2ebca6c146a53fb8adb9c0

2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465

1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed

0e626e01d3ae7840aa486468f40138284ccbd70dfe336a6b5d4008d01eb79988

09f91e90a1604a633c00d6039581f552603421356cb1edb62e085b32ff01b94e

03b3c37300bf9dcfaa4594e86841b70263324dda305484fb268b27deb09f936c

08d40a402b3754e52e4e86003bffddfdccbceefd335f53591f4cf715f8d30321

039bf780ae46875945344af489a590c5b7a36d458372a3173b55b3dc3559dfff

01ec91a3145332174eef9239f7767adaa5e3dff3a436dfb7d2f978f88ea6cd93

1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386

94.198.55.181

94.198.51.247

94.198.53.143

185.234.216.64

http://94.198.55.181:4337

http://94.198.51.247:4337

Attack Patterns

PoshC2

Sliver

T1562.007

T1562.004

T1548.002

T1053.005

T1074

T1018

T1059.001

T1505

T1562.001

T1070