In the past years Cobalt Strike was the main exploitation and post-exploitation framework used by criminal and state-affiliated threat actors. However, advancements in Cobalt Strike Beacon detection have made it harder for threat actors to use it successfully.

In recent months we have observed a switch to alternative frameworks, such as Brute Ratel, Sliver, and Manjusaka.

While those are not as widespread as Cobalt Strike yet, eCrime and state-affiliated threat actors deployed these attack frameworks in their campaigns.

QuoIntelligence assesses that the move to tooling alternative to Cobalt Strike will continue in the future. As such, detection and prevention measures must be adjusted accordingly to ensure coverage of emerging exploitation frameworks.

In this report we describe functionality and suggested detection measures for three frameworks that are gaining increasing footprint – Sliver, Brute Ratel, and Manjusaka.