Advanced Threat Prevention Inline Cloud Analysis now supports detection of unknown C2 threats developed using the open source Sliver C2 framework and transmitted over the TLSv1.3 protocol. Sliver is an increasingly popular post-exploitation tool that leverages encrypted communications to maintain persistent access to compromised systems while evading traditional detection methods. By leveraging a specialized pre-filtering used to identify suspicious TLS handshake characteristics associated with Sliver C2, suspected Sliver traffic is forwarded to the Advanced Threat Prevention cloud for in-depth analysis using a sequence-based neural network detection model. This deep learning model examines patterns across multiple TLS records within a session, enabling high-confidence detection of characteristic Sliver C2 communication patterns even when content is encrypted. The Sliver C2 detector is integrated with the SSL Command Control Detector model, listed under the Inline Cloud Analysis tab within the Anti-Spyware Profile. This allows administrators to block malicious traffic during the initial connection phase before attackers can establish effective control channels. Upon detection, logs are generated and are displayed using a new threat ID associated with this detection: (Threat ID 89961 | Evasive Sliver C2 Traffic Detection).

If you have configured an Anti-Spyware profile with Inline Cloud Analysis enabled to detect SSL command and control threats, no additional configuration is necessary to take advantage of this detector.