VirTool:Linux/Sliver.A!MTB - Windows Defender Threat Analysis

This detection identifies VirTool:Linux/Sliver.A!MTB, a Linux-based post-exploitation framework. It provides attackers with extensive remote access and command and control capabilities, enabling activities like session management, process manipulation, network reconnaissance, and data exfiltration, detected via concrete signatures and malicious behavioral patterns.

Relevant strings associated with this threat:
 - sliverpb.Register.ActiveC2 (PEHSTR_EXT)
 - sliverpb.KillSessionReq (PEHSTR_EXT)
 - sliverpb.Register.PidPid (PEHSTR_EXT)
 - sliverpb.IfconfigReq (PEHSTR_EXT)
 - sliverpb.TerminateReq (PEHSTR_EXT)
 - sliverpb.NetInterfaces (PEHSTR_EXT)
 - /xc/load.go (PEHSTR_EXT)
 - main.bake (PEHSTR_EXT)
 - syscall/zsyscall_windows.go (PEHSTR_EXT)
 - sliverpb.NetInterface (PEHSTR_EXT)
 - sliverpb.WGSocksServer (PEHSTR_EXT)
 - sliverpb.PortfwdProtocol (PEHSTR_EXT)
 - sliverpb.WGTCPForwarder (PEHSTR_EXT)
 - .sliverpb.RegistryType (PEHSTR_EXT)
 - .sliverpb.WindowsPrivilegeEntryR (PEHSTR_EXT)
 - *sliverpb.Process (PEHSTR_EXT)
 - *sliverpb. (PEHSTR_EXT)
 - *sliverpb.Migrate (PEHSTR_EXT)
 - *sliverpb.Elevate (PEHSTR_EXT)
 - *sliverpb.Kill (PEHSTR_EXT)
 - H;a (PEHSTR_EXT)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)

rule VirTool_Linux_Sliver_A_2147888493_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "VirTool:Linux/Sliver.A!MTB"
        threat_id = "2147888493"
        type = "VirTool"
        platform = "Linux: Linux platform"
        family = "Sliver"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "ScreenshotReq" ascii //weight: 1
        $x_1_2 = "SSHCommandReq" ascii //weight: 1
        $x_1_3 = "runtime.persistentalloc" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected Linux system. Perform a comprehensive forensic analysis to identify the initial compromise, lateral movement, and any backdoors. Remove the threat, patch all vulnerabilities, strengthen authentication, and monitor for further suspicious activity.