In the ever-evolving field of cybersecurity, offensive security practitioners often face the dilemma of creating custom tools from scratch or modifying existing open-source frameworks.
The Sliver Command & Control (C2) framework, written in Go, has become a popular choice due to its versatility and multi-platform support.
However, as endpoint detection and response (EDR) systems have matured, Sliver’s default payloads have become increasingly detectable.
Recent advancements demonstrate how slight modifications to Sliver’s source code can bypass both static and behavioral detection mechanisms, offering red teams a stealthier approach.
Addressing Detection Challenges in Sliver
Sliver’s initial appeal lay in its ability to evade detection through large implant sizes and obfuscated symbols.
However, as the framework gained popularity, security researchers developed static YARA rules to identify its payloads.
This led to a need for innovative approaches to maintain its operational viability against modern defenses such as Elastic EDR and Windows Defender.
One major obstacle was Sliver’s large binary size, which made it conspicuous in memory during idle states.
To counter this, researchers explored techniques such as staged payloads that avoid touching disk and embedding encrypted implants in loaders that self-inject at runtime.
Despite these efforts, initial tests against Elastic EDR revealed consistent detections due to static signatures embedded in the framework’s protobuf-generated code.
The first step involved addressing YARA rule detections by modifying protobuf definitions in the framework.
For instance, renaming structures like ScreenshotReq in the sliver.proto file and regenerating associated Go files eliminated specific signature matches.
Similarly, replacing hardcoded constants and altering initialization routines helped bypass additional rules targeting Sliver’s default behavior.
To automate these changes, a custom bash script was developed using utilities like sed for string replacements across the codebase.
This streamlined the process of editing source files and recompiling the framework, ensuring consistency across builds.
Overcoming Behavioral Detections
While static signature evasion proved successful, behavioral detections posed a greater challenge.
For example, Elastic EDR flagged Sliver’s use of the Windows API LoadLibraryExW for loading network libraries from unbacked memory.
Attempts to bypass this alert included preloading libraries or using hardware breakpoints to intercept API calls.
However, these methods failed to achieve the desired stealth.
Ultimately, researchers resorted to writing dynamic libraries to disk while removing detectable strings from exported functions like DllRegisterServer and GetJitter.
By modifying these elements in both sliver.proto and associated Go files, they eliminated runtime detections triggered by behavioral analysis tools.
After extensive modifications and testing, the customized Sliver payloads successfully evaded both static and dynamic analysis tools.
Scans using platforms like LitterBox confirmed zero detections across multiple scenarios.
The final implementation included a basic library loader that executed the implant dynamically without raising alerts on systems running Elastic agents.
This success underscores the potential of tailoring open-source frameworks like Sliver for advanced red team engagements.
While such modifications require technical expertise and iterative testing, they offer a practical alternative to building entirely new tools from scratch.
According to the Report, The findings highlight a broader trend in offensive security: leveraging open-source frameworks while adapting them to bypass modern defenses.
Projects like Better-Sliver and SliverCloak have already incorporated similar enhancements, demonstrating the community’s commitment to evolving these tools.
Additionally, training programs such as ZeroPoint Security’s Certified Red Team Operator (CRTO) courses provide valuable insights into these techniques.
As defenders continue to refine their detection capabilities, offensive teams must remain agile by exploring innovative methods like those demonstrated with Sliver.
This iterative approach ensures that red teams can stay ahead of evolving security measures while maintaining operational effectiveness.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
