Sliver Framework Customized Enhances Evasion and Bypasses EDR Detection

The Sliver Command & Control (C2) framework, an open-source tool written in Go, has been a popular choice for offensive security practitioners since its release in 2020.

However, as detection mechanisms evolve, out-of-the-box Sliver payloads are increasingly flagged by Endpoint Detection and Response (EDR) solutions.

Recent research demonstrates how minor yet strategic modifications to the framework’s source code can significantly enhance its evasion capabilities against modern EDR systems.

Overcoming Static and Behavioral Signatures

Sliver’s primary challenge lies in its large binary size (up to 30 MB) and static signatures embedded in its protocol buffer files, making it vulnerable to detection by YARA rules.

Researchers began by identifying these static signatures, such as specific strings in the sliver.proto file, and replacing them with alternative naming conventions.

For instance, renaming the ScreenshotReq message to ScShotReq and propagating the changes across the framework’s auto-generated files helped eliminate several static detections.

Additionally, behavioral detections posed a significant hurdle.

For example, Sliver’s default shellcode generation relied on Donut’s AMSI bypass, which is heavily signatured.

By modifying the source code to disable this bypass and introducing custom shellcode loaders that map payloads into memory dynamically, researchers were able to evade detection during runtime.

Tackling Advanced Detection Mechanisms

Despite addressing static signatures, certain runtime behaviors triggered alerts in EDR systems like Elastic Agent.

One such detection involved Sliver’s use of Go’s LazyDLL type, which calls the Windows API LoadLibraryExW, resulting in alerts for “Network Library Loaded from Unbacked Memory.”

To mitigate this, researchers explored techniques such as module stomping and API hooking but ultimately opted for simpler methods like writing dynamic libraries to disk with modified export functions.

Further refinements included removing unused exported functions and renaming key method calls such as GetJitter to obfuscate their presence in memory.

According to FortBridge, these changes were automated using scripts that systematically replaced problematic strings across the codebase, ensuring consistency and efficiency during compilation.

After implementing these modifications, the customized Sliver payloads were subjected to rigorous testing against multiple EDR solutions.

Static scans showed zero detections, while dynamic analysis via sandbox environments like LitterBox confirmed successful evasion of runtime alerts.

According to the Report, The final payloads demonstrated their effectiveness by establishing callbacks on systems running Elastic Agent without triggering any behavioral detections.

This research underscores the potential of adapting open-source tools like Sliver for advanced red team operations.

By leveraging minor code edits and automation scripts, practitioners can bypass even sophisticated detection mechanisms without resorting to building custom frameworks from scratch.

However, it also highlights the ongoing arms race between offensive tooling and defensive technologies, emphasizing the need for continuous innovation on both sides.

While these findings provide valuable insights for red team operators, they also serve as a reminder for defenders to enhance their detection strategies beyond static signatures and predictable behavioral patterns.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free