Sliver, a multi-platform Command & Control framework written entirely in Go, has gained significant traction in offensive security since its 2020 release.
The framework provides red teams with powerful post-exploitation capabilities, but as its user base has expanded, detection has become increasingly challenging. Initially, newly generated payloads could evade detection nine times out of ten when dropped on disk, due to large implant size and obfuscated symbols.
As security vendors have developed static signatures targeting Sliver’s standard configurations, out-of-the-box implants are now detected much faster.
.png
)
This detection challenge has prompted operators to explore customization options that could help the framework evade modern Endpoint Detection and Response (EDR) systems.
The framework’s main drawbacks include large binary sizes (up to 30 MB) and the lack of a sleep mask, making it difficult to hide in memory during idle moments.
Fortbridge researchers identified that with relatively simple code modifications, security practitioners can significantly enhance Sliver’s ability to bypass detection mechanisms, particularly static YARA signatures employed by security products.
This approach strikes a practical balance between agility and effectiveness, allowing red teams to continue using the framework without building entirely new tooling from scratch.
The impact of these evasion techniques is substantial, as they allow red team operators to deploy Sliver in environments protected by modern security solutions without immediate detection, potentially extending the dwell time during security assessments or, more concerningly, during actual breaches.
Detection Evasion Techniques
The most effective evasion technique identified involves modifying the framework’s protobuf data definitions.
Sliver relies on these definitions to generate Go source code for data structure serialization. Many positive detections originate from strings defined in .proto files, such as “ScreenshotReq” in sliver.proto:-
message ScreenshotReq {
commonpb.Request Request = 9;
}By changing these message names in the source code and regenerating the protobuf files, researchers were able to avoid triggering signature-based detections. A simple automation script using Linux’s sed utility demonstrates this approach:-
FILE_TO_EDIT='/root/sliver-repo/protobuf/sliverpb/sliver.proto'
if [ ! -f "$FILE_TO_EDIT" ]; then
echo "The file $FILE_TO_EDIT does not exist!"
exit 1
fi
SEARCH_FOR='ScreenshotReq'
REPLACE_WITH='ScShotReq'
sed -i "s|$SEARCH_FOR|$REPLACE_WITH|g" "$FILE_TO_EDIT"
echo "sliver.proto File edited successfully."Additional modifications targeted Windows Defender YARA rules by replacing ASCII character strings in byte format, including “DllUnregisterServer”, “GetJitter”, and “VoidFunc”.
These strings represent exported functions that execute a Sliver dynamic library using LOLBin regsvr32.exe or enable Sliver to work with PowerSploit’s Invoke-ReflectivePEInjection.ps1 script.
When tested against Elastic EDR and Windows Defender, these customized Sliver implants successfully evaded detection both on disk and in memory, demonstrating how minor modifications to open-source offensive tools can significantly challenge modern security solutions.
While these modifications allow Sliver to evade static detections, researchers note that many commands built into the Sliver implant will still trigger Elastic behavioral alerts during runtime.
Similar projects like better-sliver and slivercloak have implemented many of these modifications, indicating a growing trend toward customization of open-source offensive security tools to enhance their stealth capabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
