Advanced Threat Prevention with Precision AI-Powered Detection for Encrypted Sliver C2

By Nina Smith  Rajesh Gwalani 

New ML-based cloud model to detect Unknown C2 communication over TLS 1.3 encrypted protocol used by the Sliver tool.

In today's ever-evolving cybersecurity landscape, attackers are constantly refining their techniques to evade detection and compromise sensitive data. One of the growing challenges for organizations is detecting unknown Command and Control (C2) communications, particularly those facilitated by sophisticated offensive security tools like Sliver and cloaked by modern encryption protocols such as TLS 1.3.

The Challenge: Sliver C2 Hiding in Plain Sight with TLS 1.3

Sliver is an open-source command and control (C2) framework used by both security professionals for testing and malicious actors in real-world attacks. It enables operators to deploy implants on compromised systems, allowing remote control, data exfiltration, and other post-exploitation activities across multiple operating systems.

The Sliver C2 framework has become a popular choice for adversaries due to its flexibility and robust feature set. When combined with the enhanced privacy and security of TLS 1.3, detecting these malicious communications becomes a significant challenge. Traditional signature-based security controls often fail to identify or block these threats, as encryption effectively renders them invisible. This creates a critical security gap, allowing attackers to establish covert channels, exfiltrate data, and execute malicious commands without triggering alarms.

Organizations are rightfully concerned. The inability to accurately detect and stop unauthorized C2 traffic transmitted over TLS 1.3 poses a serious risk to network integrity and sensitive data. This is not a theoretical threat—it is an active challenge that can lead to major breaches and operational disruption.

Our Solution: Advanced Threat Prevention Illuminates Encrypted Threats with Precision AI-Powered Detection

We are thrilled to introduce a powerful new addition to our Advanced Threat Prevention capabilities: a cloud-based Precision AI deep learning model specifically designed to detect unknown, encrypted C2 communications from the Sliver tool operating over TLS 1.3.

This innovative approach harnesses the power of deep learning to identify subtle patterns and behavioral anomalies indicative of Sliver C2 activity, even when concealed within the strong encryption of TLS 1.3.

Why Our New Precision AI Detection Stands Out

Our new Precision AI-powered detection for Sliver C2 over TLS 1.3 delivers clear advantages:

• Increased Coverage: Traditional signature-based methods often miss unknown or modified Sliver C2 traffic, particularly when encrypted with TLS 1.3. Our cloud-based deep learning models are specifically trained to detect these elusive threats, significantly expanding protection against evasive C2 communications.
• High Accuracy: Testing has shown an impressive 99% accuracy rate in detecting Sliver C2 communications over TLS 1.3. This level of precision ensures you can confidently act on alerts, knowing they represent genuine threats.
• Ease of Use: While decrypting traffic offers the highest level of protection, it isn’t always feasible. A significant advantage of our new capability is that it does not require decryption policies to detect and block this covert Command and Control (C2) channel. This streamlines deployment and management, enabling enhanced protection without adding operational complexity.

Stay Ahead of Evolving Threats

The introduction of this cloud-based, Precision AI-powered deep learning model marks a significant step forward in combating advanced C2 threats.  Proactively detecting and preventing encrypted Sliver C2 communications empowers customers to strengthen their security posture and protect valuable assets.

Don’t let encrypted channels become a blind spot in your defenses. Harness the power of machine learning with Palo Alto Networks Advanced Threat Prevention to gain the visibility and control needed to safeguard your organization against the latest adversarial techniques.

To learn more about this new feature and how Palo Alto Networks can help you secure your network, visit our tech docs page and watch the demo video showcasing our detection in action.