sliver icon indicating copy to clipboard operation
sliver copied to clipboard
verified publisher icon BishopFox

QUESTION. Is it a way to work arround memory scanner with a sliver implant.

Open kamisw03 opened this issue 1 year ago • 4 comments

Advanced EDR and AV can catch sliver implants even if they use SGN. i am wondering if there is a better way to work around this.?

kamisw03 avatar Jan 07 '24 03:01 kamisw03

Typically memory scans are triggered via process behavior or based on a timer, avoiding the memory scan triggers is typically the best way to evade them.

moloch-- avatar Jan 08 '24 19:01 moloch--

Advanced EDR and AV can catch sliver implants even if they use SGN

This might be due to a combination of things, one of them being the obfuscator missing some key elements that are currently used as IOCs.

rkervella avatar Jan 08 '24 19:01 rkervella

Sliver shellcodes are built using go-donut, which is a go implementation of donut. This means that any artifacts or suspicious behavior that donut leaves or generates, Sliver will probably have them.

rkervella avatar Jan 08 '24 22:01 rkervella