Encrypted Sliver C2 Detection with Advanced Threat Prevention
Focus
Focus
What's New in the NetSec Platform

Encrypted Sliver C2 Detection with Advanced Threat Prevention

Table of Contents

Encrypted Sliver C2 Detection with Advanced Threat Prevention

The Advanced Threat Prevention Inline Cloud Analysis feature now detects C2 threats developed using the Silver C2 framework.
To enable Encrypted Sliver C2 Detection, be sure to download and install the latest PAN-OS content release. PAN-OS Applications and Threats content release 9006-9569 allows firewalls operating PAN-OS 11.2.7 to access an updated version of the SSL Command Control Detector, which includes support for Encrypted Sliver C2 detection. For more information about the update, refer to the Applications and Threat Content Release Notes.
To download the release notes, log in to the Palo Alto Networks Support Portal, click Dynamic Updates and select the release notes listed under Apps + Threats.
Advanced Threat Prevention Inline Cloud Analysis now supports detection of unknown C2 threats developed using the open source Sliver C2 framework and transmitted over the TLSv1.3 protocol. Sliver is an increasingly popular post-exploitation tool that leverages encrypted communications to maintain persistent access to compromised systems while evading traditional detection methods. By leveraging a specialized pre-filtering used to identify suspicious TLS handshake characteristics associated with Sliver C2, suspected Sliver traffic is forwarded to the Advanced Threat Prevention cloud for in-depth analysis using a sequence-based neural network detection model. This deep learning model examines patterns across multiple TLS records within a session, enabling high-confidence detection of characteristic Sliver C2 communication patterns even when content is encrypted. The Sliver C2 detector is integrated with the SSL Command Control Detector model, listed under the Inline Cloud Analysis tab within the Anti-Spyware Profile. This allows administrators to block malicious traffic during the initial connection phase before attackers can establish effective control channels. Upon detection, logs are generated and are displayed using a new threat ID associated with this detection: (Threat ID 89961 | Evasive Sliver C2 Traffic Detection).
If you have configured an Anti-Spyware profile with Inline Cloud Analysis enabled to detect SSL command and control threats, no additional configuration is necessary to take advantage of this detector.
The Encrypted Sliver C2 detection feature does not require or rely on enablement of decryption to function properly.