Slivering Through The Cracks

This report explains how the Sliver C2 framework implements NTDLL in-memory patching to remove security hooks and evade endpoint protections, dissects the RefreshPE() and writeGoodBytes() functions used to overwrite the .text section with a clean on-disk copy, and presents a telemetry-driven detection approach that flags these memory writes so defenders can build layered tripwires.