Advanced Threat Prevention Inline Cloud
Analysis now supports detection of unknown C2 threats developed using the
open source Sliver C2 framework and transmitted over the TLSv1.3 protocol. Sliver is
an increasingly popular post-exploitation tool that leverages encrypted
communications to maintain persistent access to compromised systems while evading
traditional detection methods. By leveraging a specialized pre-filtering used to
identify suspicious TLS handshake characteristics associated with Sliver C2,
suspected Sliver traffic is forwarded to the Advanced Threat Prevention cloud for
in-depth analysis using a sequence-based neural network detection model. This deep
learning model examines patterns across multiple TLS records within a session,
enabling high-confidence detection of characteristic Sliver C2 communication
patterns even when content is encrypted. The Sliver C2 detector is integrated with
the
SSL Command Control Detector model, listed under the
Inline Cloud Analysis tab within the Anti-Spyware Profile. This allows
administrators to block malicious traffic during the initial connection phase before
attackers can establish effective control channels. Upon detection, logs are
generated and are displayed using a new threat ID associated with this detection:
(Threat ID 89961 |
Evasive Sliver C2 Traffic Detection).
If you have configured an Anti-Spyware profile with Inline Cloud Analysis enabled to
detect SSL command and control threats, no additional configuration is necessary to
take advantage of this detector.