Windows: Sliver V4.2.2

The process was stomped . Alex had injected the Sliver shellcode into a paused instance of Windows Defender’s own MsMpEng.exe . A classic living-off-the-land move, but version 4.2.2 made it cleaner—the --skip-symbols flag eliminated debug artifacts, and the new armory plugin EvtxHunt had pre-cleaned any event log anomalies before they were written.

Alex’s fingers flew.

Sliver is an open-source, cross-platform adversary simulation platform (C2 framework). Version 4.2.2 introduced several stealth and obfuscation features. The protagonist is a red teamer named Alex . The command line blinked. sliver v4.2.2 windows

sliver > use 8f3a sliver (DOMAIN\SVC_ENGINEER) > info [ ] Session : 8f3a [ ] Hostname : ICS-WS-04 [ ] OS Version : Windows 10 Enterprise 22H2 (10.0.19045) [ ] Process : MsMpEng.exe (stomped) [ ] PID : 884 [ ] Architecture : amd64 [ ] Active C2 : https://cdn-telemetry.azureedge.net/api/v1/stats [ ] Extensions : winmgmt, rpc The process was stomped

Five seconds later:

Then, a new line appeared. Not from the beacon. Alex’s fingers flew

Sliver v4.2.2 on Windows had done its job.