The Sliver Command & Control (C2) framework, an open-source tool written in Go, has gained popularity among offensive security practitioners since its launch in 2020. However, with the advancement of detection mechanisms, default Sliver payloads are increasingly being detected by Endpoint Detection and Response (EDR) solutions.
Recent research has revealed that by making strategic modifications to the framework’s source code, its evasion capabilities against modern EDR systems can be significantly improved. One of the primary challenges faced by Sliver is its large binary size, up to 30 MB, and the static signatures present in its protocol buffer files, making it susceptible to detection by YARA rules.
To address this issue, researchers identified and replaced these static signatures, such as specific strings in the sliver.proto file, with alternative naming conventions. Renaming messages like ScreenshotReq to ScShotReq and making changes across auto-generated files helped eliminate numerous static detections. Additionally, behavioral detections posed another significant obstacle, especially with Sliver’s default shellcode generation relying on Donut’s AMSI bypass, which is often heavily signatured.
By modifying the source code to disable this bypass and introducing custom shellcode loaders that dynamically map payloads into memory, researchers were able to evade detection during runtime. Although these changes addressed static signatures, certain runtime behaviors triggered alerts in EDR systems like Elastic Agent. For instance, using Go’s LazyDLL type triggered alerts such as "Network Library Loaded from Unbacked Memory."
Researchers explored various techniques to mitigate this, including module stomping and API hooking, but eventually settled for simpler methods like writing dynamic libraries to disk with modified export functions. Additional refinements involved removing unused exported functions and renaming key method calls to obfuscate their presence in memory.
By automating these modifications using scripts that replaced problematic strings across the codebase, consistency and efficiency during compilation were ensured. After implementing these changes, the customized Sliver payloads underwent rigorous testing against multiple EDR solutions.
The results showed zero detections in static scans, and dynamic analysis in sandbox environments like LitterBox confirmed the successful evasion of runtime alerts. The final payloads were able to establish callbacks on systems running Elastic Agent without triggering any behavioral detections, as reported by FortBridge.
This research showcases the potential of adapting open-source tools like Sliver for advanced red team operations. By making minor code edits and utilizing automation scripts, practitioners can bypass even sophisticated detection mechanisms without the need to create custom frameworks from scratch. However, it also emphasizes the ongoing battle between offensive tooling and defensive technologies, highlighting the importance of continuous innovation on both ends.
While these findings offer valuable insights for red team operators, they also underscore the necessity for defenders to enhance their detection strategies beyond static signatures and predictable behavioral patterns. This evolution in offensive security tools and defensive technologies signifies a never-ending race for supremacy in the cybersecurity landscape.