UTID: 86680 (Sliver Framework C2 Traffic Detection) blocking Gmail traffic

UTID: 86680 (Sliver Framework C2 Traffic Detection) blocking Gmail traffic

1593
Created On 11/02/23 19:21 PM - Last Modified 04/22/24 04:38 AM


Question


Why was Gmail traffic being blocked by UTID: 86680?

Answer


Issue Overview:

Starting on 10/25/2023 (US time) there were several instances of UTID: 86680 (Sliver Framework C2 Traffic Detection) blocking Gmail traffic. Palo Alto Networks has had coverage for Sliver since 2023-03-29 with UTIDs: 86674 and 86680.

 

Background of Sliver Framework C2:

Sliver, an open-source cross-platform framework for adversary emulation and red teaming, is versatile for security testing across organizations of various scales. Its implants facilitate Command and Control (C2) via Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS, dynamically compiled with unique asymmetric encryption keys for each binary. 

 

Workaround:

The temporal workaround was to set an exception.
- How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC

 

Issue Resolution:

Palo Alto Networks made changes to the detection logic to address the false positive issue. The fix was released in content version 8774.

Additional Information


References:
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VkPCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language