If you are a current customer I would advise you do a few things:
1. If you can’t find a KB or community article, submit a ticket.
2. Test it yourself. Trust but verify. That way you can build any gaps yourself.
Fire them up on a test machine and see what happens in CS, it's 100% okay to test offensive tools and try to improve your staff's experience and your defenses.
I would bet dollars to donuts that you'll get detections, but the only way to spot a gap or misconfiguration is to try. : )
I know people are constantly testing different c2 against different EDR all the time. Just please think before you tweet.
There are lots of ways to configure products like EDR, and they aim to help however they can whether that is inline blocking (hard), detection alerts (medium), or enough clouded data that an analyst can construct a timeline from. The best way for customers of EDR products to do this type of testing and get value from it is to take any findings through support. Did you use an up to date os on the victim. Did you use a recent version of a product.
Why cov and sliver? Do you have specific kill chains you want to try against their product? You likely won’t get much traction if you report having successfully popped calc under your payload assuming you can get your payload on disk. Detection could happen at many levels so the more realistic your scenario the more it matters. Maybe you assume you can get an employee to click a link in a phish and when you carry out such a scenario you were able to get a session, pull files from network shared drives, archive them up and send them out to your server. Then persist, log out. And your findings were telemetry was there if you knew what to look for but alerts didn’t trigger. Maybe another useful thing for you to do is focus on a single attack step that you’ve been burned by in the past and while one of the mainstream methods is alerting try as many as you can to see if they are all detected. Again, if you simply want to see coverage added in a timely manner, share with support your findings, technical specs and any logs you can. Etw, procmon, memory dumps, (sorry I am biased for win personally) anything possible.
Much more solid is to test it yourself or hire purple/red folks. Test tenant, a VM separated from prod network and try yourself.
Asking support depends who you hit (they may not have time, they may provide a generic answer, they may not have a deeper technique vs product knowledge).
Testing out of the box capabilities makes almost no sense it's picked up by AV. Then it's mostly game of encryption/obfuscation/confusion/removing what signatures detect.
Try to create a focused behavioral scenarios based on your threat model (what you care the most) which is regardless the agent (you can still use Sliver, Cobalt Strike etc):
1. Can I use the agent to grab browser cookies, local password managers files, deploy key logger, man the browser to intercept MFA, relay http sessions (infostealer type of behavior)
2. Migrate agent to typical system processes - injection
3. Execute typical network recon commands via win api, without spawning cmd /c child process
[https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation\_running-commands.htm](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_running-commands.htm)
4) Create your own code to encrypt all office documents on disk by using Microsoft api - 20 lines of code (C# or powershell), it will take you 30 - 60 minutes to create, now you have a code which is not covered by a signature (as a known ransomware executable/script) and you want to understand if the behavior is detected.
One example is atomic red team, everything there (at this point) is covered by signatures (makes sense right, putting this on Internet, everyone can use it but also everyone detects it), there is no operational security/evasion/tools confusion effort.
They download mimikatz from official github, that basically equals to creating EICAR on disk. Web proxy AV will kill it before you do any actual credential dumping itself which may lead to inaccurate technique evaluation.
[https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-10---powershell-mimikatz](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-10---powershell-mimikatz)
Guys are doing a great job, it depends on which level you operate. Signatures, basic string matching typical commands lines vs behavioral patterns detection within win api / kernel. Of course a comprehensive solutions will do both.
Next step is remmediation - what are you going to do about it once gaps are identified? Either own detection engineering capability (limited by IOA language scope mostly) or you work with vendor, which is not easy, they need to make it work for all customers, it takes time, it needs to be a significant gap for them to care.
If you are a current customer I would advise you do a few things: 1. If you can’t find a KB or community article, submit a ticket. 2. Test it yourself. Trust but verify. That way you can build any gaps yourself.
Haven't used it recently, but sliver worked well for me. That is until you start trying stuff, then cs usually kills it.
Unless you customize those tools and their implants they will get detected. Won’t even be able to drop on disk without being detected.
Fire them up on a test machine and see what happens in CS, it's 100% okay to test offensive tools and try to improve your staff's experience and your defenses. I would bet dollars to donuts that you'll get detections, but the only way to spot a gap or misconfiguration is to try. : )
I know people are constantly testing different c2 against different EDR all the time. Just please think before you tweet. There are lots of ways to configure products like EDR, and they aim to help however they can whether that is inline blocking (hard), detection alerts (medium), or enough clouded data that an analyst can construct a timeline from. The best way for customers of EDR products to do this type of testing and get value from it is to take any findings through support. Did you use an up to date os on the victim. Did you use a recent version of a product. Why cov and sliver? Do you have specific kill chains you want to try against their product? You likely won’t get much traction if you report having successfully popped calc under your payload assuming you can get your payload on disk. Detection could happen at many levels so the more realistic your scenario the more it matters. Maybe you assume you can get an employee to click a link in a phish and when you carry out such a scenario you were able to get a session, pull files from network shared drives, archive them up and send them out to your server. Then persist, log out. And your findings were telemetry was there if you knew what to look for but alerts didn’t trigger. Maybe another useful thing for you to do is focus on a single attack step that you’ve been burned by in the past and while one of the mainstream methods is alerting try as many as you can to see if they are all detected. Again, if you simply want to see coverage added in a timely manner, share with support your findings, technical specs and any logs you can. Etw, procmon, memory dumps, (sorry I am biased for win personally) anything possible.
Much more solid is to test it yourself or hire purple/red folks. Test tenant, a VM separated from prod network and try yourself. Asking support depends who you hit (they may not have time, they may provide a generic answer, they may not have a deeper technique vs product knowledge). Testing out of the box capabilities makes almost no sense it's picked up by AV. Then it's mostly game of encryption/obfuscation/confusion/removing what signatures detect. Try to create a focused behavioral scenarios based on your threat model (what you care the most) which is regardless the agent (you can still use Sliver, Cobalt Strike etc): 1. Can I use the agent to grab browser cookies, local password managers files, deploy key logger, man the browser to intercept MFA, relay http sessions (infostealer type of behavior) 2. Migrate agent to typical system processes - injection 3. Execute typical network recon commands via win api, without spawning cmd /c child process [https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation\_running-commands.htm](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_running-commands.htm) 4) Create your own code to encrypt all office documents on disk by using Microsoft api - 20 lines of code (C# or powershell), it will take you 30 - 60 minutes to create, now you have a code which is not covered by a signature (as a known ransomware executable/script) and you want to understand if the behavior is detected. One example is atomic red team, everything there (at this point) is covered by signatures (makes sense right, putting this on Internet, everyone can use it but also everyone detects it), there is no operational security/evasion/tools confusion effort. They download mimikatz from official github, that basically equals to creating EICAR on disk. Web proxy AV will kill it before you do any actual credential dumping itself which may lead to inaccurate technique evaluation. [https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-10---powershell-mimikatz](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-10---powershell-mimikatz) Guys are doing a great job, it depends on which level you operate. Signatures, basic string matching typical commands lines vs behavioral patterns detection within win api / kernel. Of course a comprehensive solutions will do both. Next step is remmediation - what are you going to do about it once gaps are identified? Either own detection engineering capability (limited by IOA language scope mostly) or you work with vendor, which is not easy, they need to make it work for all customers, it takes time, it needs to be a significant gap for them to care.