Evolving Stealth: Enhancing Sliver C2 Framework to Bypass Advanced EDR Detection

In the fast-paced and ever-changing world of cybersecurity, red teams and offensive security practitioners are constantly faced with a critical decision: create custom tools from the ground up, or modify existing open-source frameworks to fit their needs. One of the most versatile tools currently gaining traction is the Sliver Command & Control (C2) framework. Written in Go, Sliver offers impressive multi-platform support, which has made it an attractive choice for red teams. However, as endpoint detection and response (EDR) systems have evolved, the default payloads of Sliver have become increasingly detectable. This article delves into the efforts to enhance Sliver’s stealth capabilities by addressing both static and behavioral detection mechanisms, and how slight modifications can make the framework an even more effective tool for offensive operations.

Adapting to Evolving Detection Mechanisms: How Sliver C2 is Overcoming Modern Security Defenses

Sliver was initially hailed for its ability to evade detection by utilizing large implant sizes and obfuscating symbols. As its popularity grew, however, the security community began to develop static YARA rules designed to identify its payloads, making it easier for defenders to spot Sliver in action. This put red teams in a bind, as they relied on Sliver to carry out their operations. In response to this, the need arose for novel methods to maintain the tool’s efficacy against modern defenses, including Elastic EDR and Windows Defender.

One of the key challenges facing Sliver was its large binary size, which, while useful for its functionality, made it easy to detect. When left idle in memory, its size raised red flags. To combat this, researchers explored several strategies, such as creating staged payloads that never touch the disk and embedding encrypted implants into loaders that self-inject during runtime. These approaches sought to minimize the framework’s footprint and reduce the chances of detection by static signature-based tools.

Despite these efforts, early tests against modern EDR platforms like Elastic EDR consistently flagged Sliver’s payloads. This was primarily due to static signatures embedded within the framework’s protobuf-generated code. To solve this, the researchers began by modifying the protobuf definitions within the Sliver source code. For example, they renamed structures such as ScreenshotReq in the sliver.proto file, and regenerated the associated Go files. This small change significantly reduced signature matches, allowing the payloads to avoid detection.

In addition to modifying protobuf definitions, the team replaced hardcoded constants and altered initialization routines to further evade detection. To streamline this process and ensure consistency across builds, a custom bash script was developed. The script used utilities like sed for string replacements throughout the codebase, automating the process of editing and recompiling the framework. This significantly reduced the time required to implement changes and ensured that the modified version of Sliver would be consistently updated across different engagements.

Tackling Behavioral Detection: Overcoming the Dynamic Challenges of Modern Security

While static signature evasion was a success, the next hurdle was more difficult to overcome: behavioral detections. Elastic EDR, for instance, flagged Sliver’s use of the Windows API LoadLibraryExW for loading network libraries from unbacked memory. The challenge with behavioral detection lies in the fact that such tools monitor the activity of programs during runtime, making it much more difficult to remain undetected.

In an attempt to bypass this, the researchers explored several potential solutions, including preloading libraries or utilizing hardware breakpoints to intercept API calls. However, these approaches were ineffective at achieving the level of stealth necessary for the engagement. As a result, the team turned to a more refined approach: writing dynamic libraries to disk while removing detectable strings from exported functions such as DllRegisterServer and GetJitter. By modifying both the sliver.proto file and associated Go files, they eliminated certain runtime behaviors that would typically trigger behavioral analysis tools.

After multiple rounds of modification and testing, the customized Sliver payloads were able to successfully evade detection by both static and dynamic analysis tools. Tests conducted using platforms like LitterBox confirmed zero detections in various scenarios, highlighting the effectiveness of the modifications. The final version of Sliver included a basic library loader that executed the implant dynamically, without triggering alerts on systems running Elastic agents. This success showcased the potential of modifying open-source frameworks like Sliver to suit the unique needs of advanced red team engagements.

Innovative Iteration: Why Tailoring Tools Like Sliver is the Future of Offensive Security

The lessons learned from modifying Sliver underscore a broader trend in offensive security: the increasing reliance on adapting and customizing existing open-source frameworks to stay one step ahead of modern defense systems. Rather than developing entirely new tools from scratch, red teams can leverage frameworks like Sliver, modifying them to avoid detection and achieve their objectives more efficiently.

Projects like Better-Sliver and SliverCloak have already begun to incorporate similar enhancements, demonstrating the growing commitment within the cybersecurity community to evolve these tools in line with changing defensive tactics. Additionally, training programs such as ZeroPoint Security’s Certified Red Team Operator (CRTO) courses are providing valuable insights into how these techniques can be applied in real-world environments.

As defenders continue to refine their detection capabilities, offensive teams must remain agile. This means continuously exploring innovative methods, such as the ones demonstrated with Sliver, to ensure they can maintain their operational effectiveness. This iterative approach not only keeps red teams ahead of evolving defenses but also fosters a deeper understanding of how detection and evasion mechanisms work. By constantly refining their tools and techniques, offensive security practitioners can stay one step ahead in this high-stakes cat-and-mouse game.

What Undercode Say:

At UnderCode, we believe that offensive security must be a dynamic and iterative process. The advancements made in Sliver’s modification reflect the growing need for red teams to adapt quickly to the ever-evolving landscape of security defenses. The development of new techniques to bypass both static and behavioral detection mechanisms demonstrates how versatile and resilient the Sliver C2 framework can be when customized properly. Rather than relying on brute force or developing new tools from scratch, the real value lies in optimizing and personalizing existing frameworks to meet the specific needs of the red team and ensure operational success.

One of the key takeaways from the study is the emphasis on continuous testing. The process of modifying Sliver’s source code and payloads was not a one-time fix but a constant cycle of testing and adjusting. This highlights the importance of constant evaluation when facing advanced detection systems. Moreover, the success of these modifications demonstrates the value of open-source frameworks, which, when properly adapted, can offer a significant advantage in red team engagements without the time-consuming task of building new tools from the ground up.

Another significant observation is the importance of understanding the underlying mechanisms of detection systems. The researchers’ ability to bypass both static YARA signatures and behavioral analysis tools was made possible through a deep understanding of how these systems work. This insight into defensive mechanisms is crucial for red teams that wish to maintain an upper hand in cybersecurity engagements.

Ultimately, this shift toward tailoring existing frameworks is a promising approach in the field of offensive security. It allows red teams to focus their efforts on refining tactics rather than constantly reinventing the wheel, making the overall process more efficient and effective.

Fact Checker Results:

Modification of Sliver C2 Framework: The enhancements made to Sliver’s payloads were successful in bypassing both static and behavioral detection mechanisms. This was achieved through a combination of protobuf modifications, string replacement, and behavioral adjustments.
Testing Platforms: Tests using platforms like LitterBox confirmed that the modified Sliver payloads achieved zero detections in various scenarios, emphasizing the effectiveness of the changes.
Evolving Red Team Strategies: The trend of adapting existing tools rather than creating new ones aligns with broader strategies in red team operations, focusing on optimizing performance and efficiency over creating entirely new frameworks.