topic Re: Hunting for silver C2 / is cortex blocking it? in Cortex XDR Discussions

Hunting for sliver C2 / is cortex blocking it?

Cyber1985 — Sat, 03 Sep 2022 09:44:13 GMT

Hello dear community!

Has anyone of you some XQL for hunting sliver C2?

https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/

Is Cortex XDR (pro) preventing us?

Rob

Re: Hunting for silver C2 / is cortex blocking it?

mfakhouri — Fri, 02 Sep 2022 16:03:51 GMT

Hi Rob,

Thank you for submitting a coverage request for the Silver C2.

As for your first question regarding an XQL query, one has not yet been developed by our engineering team at this time.

As for the second question, we are unable to confirm coverage for this type of attack with Cortex XDR. If you would like to receive direct notifications when advances in this coverage may have been deployed, we highly recommend contacting our TAC team at https://support.paloaltonetworks.com/. They may also be able to provide an XQL query if there is a detection available.

Additionally, I was able to contact internal resources regarding this attack as well and can provide coverage/XQL query updates in the LiveCommunity when it is available, however, there is no guarantee that one will be delivered at this time.

Re: Hunting for sliver C2 / is cortex blocking it?

mfakhouri — Wed, 07 Sep 2022 13:58:51 GMT

Hi Rob,

I was able to confirm that our agent research team is currently adding coverage for the Silver C2 framework. This will utilize static protection with anti-malware flow along with behavioral protection in BTP. If there are additional advances internally, I will be able to continue providing updates in LiveCommunity.

Re: Hunting for sliver C2 / is cortex blocking it?

RFeyertag — Wed, 07 Sep 2022 20:32:03 GMT

Hey Mfakhouri,

thanks a lot!

Rob