Sliver Framework Customized to Boost Evasion & Bypass EDR Detections

When tested against Elastic EDR and Windows Defender, these customized Sliver implants successfully evaded detection both on disk and in memory, demonstrating how minor modifications to open-source offensive tools can significantly challenge modern security solutions. The impact of these evasion techniques is substantial, as they allow red team operators to deploy Sliver in environments protected by modern security solutions without immediate detection, potentially extending the dwell time during security assessments or, more concerningly, during actual breaches. Fortbridge researchers identified that with relatively simple code modifications, security practitioners can significantly enhance Sliver’s ability to bypass detection mechanisms, particularly static YARA signatures employed by security products. Similar projects like better-sliver and slivercloak have implemented many of these modifications, indicating a growing trend toward customization of open-source offensive security tools to enhance their stealth capabilities. Sliver, a multi-platform Command & Control framework written entirely in Go, has gained significant traction in offensive security since its 2020 release. While these modifications allow Sliver to evade static detections, researchers note that many commands built into the Sliver implant will still trigger Elastic behavioral alerts during runtime.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 08:25:08 +0000

Cyber News related to Sliver Framework Customized to Boost Evasion & Bypass EDR Detections

Sliver Framework Customized to Boost Evasion & Bypass EDR Detections - When tested against Elastic EDR and Windows Defender, these customized Sliver implants successfully evaded detection both on disk and in memory, demonstrating how minor modifications to open-source offensive tools can significantly challenge modern ...
2 months ago Cybersecuritynews.com Cloak

Silly EDR Bypasses and Where To Find Them - One of the drawbacks of direct & indirect syscalls is that it's clear from the callstack that you bypassed the EDR's user mode hook. As you can see from the last image, when a call is done through a hooked function the return address for the EDR's ...
1 year ago Malwaretech.com

PyPi package backdoors Macs using the Sliver pen-testing suite - A new package mimicked the popular 'requests' library on the Python Package Index to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate networks. Discovered by Phylum, the campaign involves ...
1 year ago Bleepingcomputer.com

CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago

An Introduction to Bypassing User Mode EDR Hooks - While cross-referencing notes against old blog posts, I realized that I never actually published the majority of my work on system calls and user mode hooking. System calls are the standard way to transition from user mode to kernel mode. On Windows, ...
1 year ago Malwaretech.com

Windows Incident Response: EDRSilencer - Going unnoticed on an endpoint when we believe or feel that EDR is prevalent can be a challenge, and this could be the reason why these discussions have taken hold. If you look at other aspects of EDR and SOC operations, there are plenty of ...
1 year ago Windowsir.blogspot.com Silence

Cybercriminals Take Advantage of Weaknesses in Sunlogin to Install Sliver Command and Control System - Cybercriminals are taking advantage of known weaknesses in Sunlogin software to deploy the Sliver command-and-control framework for post-exploitation activities. This was discovered by AhnLab Security Emergency response Center, which found that ...
2 years ago Thehackernews.com

Windows Incident Response: Round Up - MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I'm always interested in things like this because it's possible that the author will provide clear ...
1 year ago Windowsir.blogspot.com

Hackers Gaining Unauthorized Access to Windows Devices Through Silver and BYOVD Exploits - Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed ...
2 years ago Heimdalsecurity.com

ANY.RUN Unveils Q1 2025 Malware Trends Report - ANY.RUN’s latest malware trends report reveals substantial increases in threat activity across multiple categories, providing critical intelligence for security professionals as cyber threats continue to evolve at an alarming pace. Stealers ...
1 month ago Cybersecuritynews.com

Threat Actors Turn To SLIVER As Open Source Malware Toolkit - A new open source malware toolkit, called SLIVER, is being used by threat actors to create and spread malicious programs. SLIVER is a modularized, open-source malware framework that allows users to easily build and deploy malicious Visual Basic ...
2 years ago Thehackernews.com

How To Implementing MITRE ATT&CK In SOC Workflows - A Step-by-Step Guide - By understanding the framework, mapping your current capabilities, developing targeted detection and response strategies, and integrating ATT&CK into your tools and processes, you can build a proactive, threat-informed defense that evolves ...
2 months ago Cybersecuritynews.com

Building A Unified Security Strategy: Integrating Digital Forensics, XDR, And EDR For Maximum Protection - To effectively counter these threats, organizations must integrate Digital Forensics, Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR) into a unified security framework. It involves two main components: digital ...
1 month ago Cybersecuritynews.com

Zero Trust Security Framework: Implementing Trust in Business - The Zero Trust security framework is an effective approach to enhancing security by challenging traditional notions of trust. Zero Trust Security represents a significant shift in the cybersecurity approach, challenging the conventional concept of ...
1 year ago Securityzap.com

CVE-2023-38297 - An issue was discovered in a third-party com.factory.mmigroup component, shipped on devices from multiple device manufacturers. Certain software builds for various Android devices contain a vulnerable pre-installed app with a package name of ...
1 year ago

Sliver C2 Server Vulnerability Let Attackers Open a TCP connection to Read Traffic - A critical server-side request forgery (SSRF) vulnerability (CVE-2025-27090) has been identified in the Sliver C2 framework’s teamserver implementation, enabling attackers to establish unauthorized TCP connections through vulnerable servers. ...
3 months ago Cybersecuritynews.com CVE-2025-27090

New "Bring Your Own Installer" EDR bypass used in ransomware attack - A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. ...
1 month ago Bleepingcomputer.com

Illegal Access to Windows Computers Through Silver and Bring Your Own Device Vulnerabilities - A recent hacking campaign has been exploiting vulnerabilities in Sunlogin, a remote-control software, to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. ...
2 years ago Bleepingcomputer.com

Exploiting a Windows Device Through an Alternative to Cobalt Strike Called Sliver - Security analysts at AhnLab Security Emergency Response Center have detected a new hacking campaign that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver. Sliver is an alternative ...
2 years ago Cybersecuritynews.com

Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
1 year ago Thedfirreport.com

10 Best EDR Tools ( Endpoint Detection & Response) - 2025 - What is good?What Could Be Better ?Provides comprehensive endpoint monitoring.Some users might find the installation and configuration process of the solution tedious.Protect your entire security stack with in-depth threat intelligence.Some users ...
2 months ago Cybersecuritynews.com

Cybersecurity Frameworks: What Do the Experts Have to Say? - Cybersecurity frameworks are blueprints for security programs. Typically developed by governmental organizations, industry groups, or international bodies, they take the guesswork out of developing defense strategies, providing organizations with ...
11 months ago Tripwire.com

Kaspersky Unveils New Flagship Product Line for Business, Kaspersky Next - PRESS RELEASE. Woburn, MA - April 16, 2024 - Today Kaspersky introduced its new flagship product line, Kaspersky Next, combining robust endpoint protection with the transparency and speed of EDR, alongside the visibility and powerful tools of XDR. ...
1 year ago Darkreading.com

CVE-2007-0228 - The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) ...
7 years ago

Why It's More Important Than Ever to Align to The MITRE ATT&CK Framework - These missed attacks often stem from either hidden gaps in detection coverage - or due to alerts that got buried in a sea of noisy alerts and were never even pursued by the Security Operations Center team. In other words, we need to be able to report ...
1 year ago Cyberdefensemagazine.com APT28 FIN7 LAPSUS$ Lazarus Group