sliver Unobfuscated strings in binary

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

Generate a Sliver beacon for windows in exe format. e.g. generate --http {ip} --os windows
Run the beacon
Run the yara rule https://github.com/elastic/protections-artifacts/blob/1e357aaca865d37279e71c8ddec10e01a051c0ab/yara/rules/Multi_Trojan_Sliver.yar#L2 using yara64.exe

Expected behavior Unobfuscated strings are found in the Sliver binary and in memory

Desktop (please complete the following information):

OS: Windows

Additional context The strings identified were:

Matched String: ").RequestResend" Matched String: ").GetPrivInfo" Matched String: "B/Z-github.com/bishopfox/sliver/protobuf/sliverpbb" ascii fullword Matched String: "InvokeSpawnDllReq" ascii fullword Matched String: "NetstatReq" ascii fullword Matched String: "HTTPSessionInit" ascii fullword Matched String: "ScreenshotReq" ascii fullword Matched String: "RegistryReadReq" ascii fullword

Aug 16 '24 10:08 CodeXTF2

This is a known issue. Still not sure if it's a regression in Garble or if something changed in the protobuf library, or a bit of both. Either way, Garble is not picking up the protobuf methods, which makes for easy signatures to be built.

Aug 16 '24 11:08 rkervella

At least the DNS ones are gone, not sure why these are showing up.

Aug 21 '24 17:08 moloch--

These are on most of the Yara rules on GitHub for sliver. I just did a dirty find and replace on the strings to get around the rules.

Dec 26 '24 09:12 dalemazza

several Defender AV signatures detecting these strings. Any workaround? Are those above all the strings get detected?

Dec 31 '24 18:12 Cyb3r-Monk

We've been toying with custom AST obfuscation for the protobuf some of it is merged into v1.6 but it's slow going and lesnuages and I have less time to work on Sliver these days so no ETA on a comprehensive fix.

Jan 06 '25 16:01 moloch--