He needed a new foothold. The EDR had learned. But Sliver 4.2.2 had one more trick: --disable-sgn . No more signature-based hashing. Instead, direct NTAPI calls via HellHall gate obfuscation.
From the server log:
The second implant compiled. A different domain front— officecdn.microsoft.com.edgesuite.net . A different process target: spoolsv.exe . sliver v4.2.2 windows
He typed:
Alex saved the session logs to an encrypted USB. Then he deleted every artifact from the Sliver server—the profiles, the certs, the history. The operation never happened. He needed a new foothold
Sliver is an open-source, cross-platform adversary emulation framework developed by Bishop Fox. Unlike its predecessors, such as the Metasploit Framework, which rely heavily on a monolithic architecture, Sliver is designed with modularity and modern operational security (OpSec) in mind.
[*] Beacon 8f3a response delayed ... 200ms ... 500ms ... No more signature-based hashing
Alex deployed.
The process was stomped . Alex had injected the Sliver shellcode into a paused instance of Windows Defender’s own MsMpEng.exe . A classic living-off-the-land move, but version 4.2.2 made it cleaner—the --skip-symbols flag eliminated debug artifacts, and the new armory plugin EvtxHunt had pre-cleaned any event log anomalies before they were written.
sliver > generate --http --skip-symbols --profile win11-bypass-v2 sliver > armory install get-system sliver > http --beacon -j 3