惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fox-IT International blog
Recent Announcements
Recent Announcements
D
Docker
IT之家
IT之家
B
Blog
Jina AI
Jina AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 【当耐特】
Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
量子位
C
Check Point Blog
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 司徒正美
李成银的技术随笔
美团技术团队
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
T
The Blog of Author Tim Ferriss
酷 壳 – CoolShell
酷 壳 – CoolShell
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
L
LangChain Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
大猫的无限游戏
大猫的无限游戏
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
T
Tailwind CSS Blog
H
Help Net Security
Engineering at Meta
Engineering at Meta
小众软件
小众软件
B
Blog RSS Feed
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
M
Microsoft Research Blog - Microsoft Research
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Last Week in AI
Last Week in AI
Martin Fowler
Martin Fowler
Stack Overflow Blog
Stack Overflow Blog

Vectra AI Blog

AI-Driven Network Detection and Response: Insights from a 2026 Gartner® Magic Quadrant™ Leader Securing AI Adoption Starts with Visibility by Aakash Gupta The Missing Data Layer Behind SIEM and SOAR Why Most SIEM/SOAR Integrations Break — and How to Fix Them Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate Improve SIEM and SOAR Workflows with Better Security Signal by Gearóid Ó Fearghaíl ShinyHunters isn’t a group. It’s a pattern. How Vectra AI Secures the AI Enterprise AI agents: the new workforce — and attack surface. by Tiffany Nip How Vectra AI Scoring Helps Security Teams Focus on What Matters First What’s Next for the Enterprise After Two GenAI Tidal Waves? If An Identity was Compromised, Would We Know? Help Over Hype: Claude Mythos, Project Glasswing and the Real Questions CISOs Want Answered Azure Logging just Changed - Your Detections May be Missing it by Alex Groyz When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild by Justin Howe 4 Ways to Improve SOC Efficiency with AI by Jesse Kimbrel Why triage alerts - when AI can do it for you? Attackers Don’t Hack In — They Log In: The MFA Blind Spot The rise of supply chain-driven data theft in SaaS environments by Lucie Cardiet AI-Assisted Search: Clarity at the Speed of a Question What We Learned from Analyzing Millions of Alerts FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access by Lucie Cardiet Detecting Compromise After the Axios Supply Chain Attack. by Yusri Mohd Yusop Who’s Doing What on Your Network? by Mark Wojtasiak Breaking down the axios supply chain incident by Lucie Cardiet Prompt Control: How Context Becomes the Command-and-Control Layer for AI Agents How Attackers Move Through Hybrid Networks After the Initial Breach How Attackers Establish Persistence in Hybrid Environments What the Stryker Incident Reveals About Handala’s Attack Playbook Why Cyber Resilience is Lagging in the AI Era 5-Minute Hunt: Six Queries to Detect Iranian APT Activity AI-Powered Attacks Are Here, But So Is AI-Powered NDR to Stop Them What is hiding in AI traffic AWS Compromised by AI Agents in Minutes The UX of Cybersecurity AI: Designing for Behavior at Machine Speed Molt Road and the Automation of Underground Marketplaces Moltbook and the Illusion of “Harmless” AI-Agent Communities From Network Detections to Understanding Risk: The Vectra AI Take on Gartner’s Redefinition of NDR From Clawdbot to OpenClaw: When Automation Becomes a Digital Backdoor by Lucie Cardiet Securing the AI Enterprise: How I’m Thinking About It as a CEO Cybersecurity Predictions 2026: AI, Agents, and SOC Defense OPSEC Failures: How Threat Actor Mistakes Help Defenders How Threat Actors Turned AI Into a Weapon CVE-2025-14847 MongoBleed in the Wild: Identifying MongoDB Exposure and Exploitation with Network Metadata by Fabien Guillot Pro-Russia Hacktivists Are Targeting Critical Infrastructure How Vectra AI Connects Network Detections to Endpoint Processes Automatically by Dale O’Grady How Vectra AI and CrowdStrike Deliver Complete Context Across Endpoint and Network by Tiffany Nip You are the Blackboard - AI Agent Assisted Bug Hunting TCP Reset Does Not Stop Modern Attacks – Here's Why Shai-Hulud: When a Supply-Chain Incident Turns Into a Worm How Typhoon APTs Infiltrate Infrastructure Without Leaving a Trace Think Your Microsoft Environment Is Resilient to Attacks? Think Again by Tiffany Nip Operation ENDGAME and the Battle for Initial Access by Lucie Cardiet What 400+ NDR Power Users Taught Us About Network Visibility How Attackers Gain Initial Access in Hybrid Environments Can Your SOC's AI Actually Think? Evaluating LLMs with the Vectra AI MCP Server How Vectra AI Hybrid NDR Enables Proactive Threat Hunting and Outcome-Driven Defense by Tiffany Nip Introducing the Vectra AI MCP Server for On-Premises (QUX) by Fabien Guillot From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand by Lucie Cardiet How the F5 Breach Exposed Critical Edge Security Gaps Qilin’s 2025 Playbook, and the Security Gap it Exposes by Lucie Cardiet Vectra Fusion: Extending the Vectra AI Platform to Build Resilience Both Pre and Post Compromise Seeing Beneath the Surface: What Crimson Collective Reveals About Cloud Detection Depth Cl0p Is Back, Exploiting Supply Chains Again. How to Choose the Best NDR for Hybrid Environments Red Hat GitLab Breach Shows Why Consulting Data is a Goldmine for Attackers When GoAnywhere Lets Attackers Go Everywhere by Lucie Cardiet Vectra AI with Netography Redefining the SOC Platform around Modern Attack Resilience Beyond Endpoints: How BRICKSTORM Exposed Security Blind Spots by Lucie Cardiet EDR Isn’t Enough: Why Forward-Thinking CISOs Are Turning to Network + Identity by Mark Wojtasiak What Modern SOCs Should Know About NDR Alternatives Scattered Lapsus$ Hunters Announce They Are Going Dark but the Threat Remains LockBit is Back: What’s New in Version 5.0 The Npm Exploit Is The Entry Point, What Follows Is Just As Critical. How AI is Fueling Cybercrime and Why Security Gaps Are Growing by Lucie Cardiet 5-Minute Hunt: Detecting Risky Multi-Tenant Apps in Microsoft 365 GLOBAL RaaS: Dissecting a Modern Ransomware Franchise What the CISA Advisory Reveals About Nation-State Attacks New Technologies bring new risks: MCP-Powered Swarm C2 4 Real-World Attacks That Show Why SOCs Need NDR Why insider threats go undetected by security tools Black Hat USA 2025: What Security Teams Asked Us in Las Vegas Vectra AI and Google Security Operations: Breaking Down Security Silos by Zoey Chu Black Hat Takeaway: Everyone Talks Prevention, But Who Detects Compromise? Black Hat USA 2025: What It Told Me About Protecting the Modern Network from Modern Attacks Introducing the Vectra AI MCP Server Cloud Security Grey Zone: Who Owns the Risk of Managed Identities? CVE-2025-53770: A 9.8/10 Critical Exploit Targeting SharePoint 5 Ways Security Teams Can Start Driving Outcomes with Agentic AI Behind the Hunt: Real-World Threat Hunting Practices and How Vectra AI Makes the Difference Vectra AI named in Gartner hype cycle for security operations 2025 Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Gartner Security and Risk Conference – Chaos meets Opportunity Are Iranian APTs Already inside Your Hybrid Network? You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) The Two Control Points That Will Define the Future of Cybersecurity – Network and Identity Challenges in Microsoft Log Monitoring: Insights for Your SOC Sanofi Uses Vectra to Stop Cyberattack in Real Time The Cutting Edge: AI’s Inevitable Rise in Offensive Security
Detecting Sliver C2: When Advanced Beaconing Tries to Hide in Plain Sight
2026-03-23 · via Vectra AI Blog

Security teams might miss the moment an attacker gets in, but they eventually see the traffic that follows.

A compromised system begins reaching out to something it should not be talking to. The connection repeats, waits and repeats again. This is the role of command-and-control infrastructure.

In a previous article, I explained how attackers use Brute Ratel to maintain covert command channels inside compromised environments. Tools like Brute Ratel deliberately shape their traffic to blend into legitimate web activity and avoid traditional detection methods.

Another tool built with the same philosophy is Sliver, an open-source command-and-control framework that introduces additional layers of randomization into beacon traffic to make detection even more difficult.

From initial access to command and control

Attackers rarely deploy a command-and-control framework directly. They first need an entry point.

In many intrusions, that foothold begins with a vulnerability in an internet-facing service. A recent example is React2Shell (CVE-2025-55182), a critical flaw affecting React Server Components used in frameworks like Next.js. Exploiting the vulnerability allows an attacker to execute code on a vulnerable server using a crafted HTTP request.

Once code execution is achieved, attackers move quickly to establish persistence and remote control.

This is where post-exploitation frameworks come into play.

Instead of building custom malware, attackers often rely on mature open-source tools that provide a full operational toolkit for managing compromised hosts. These frameworks handle the difficult parts of intrusion operations: secure communications, tasking infected systems, transferring files, and coordinating activity across multiple compromised machines.

Sliver is one of those tools.

Diagram showing the different attacker payloads using React2Shell. Source: Wiz

What Sliver is and why attackers use it

Sliver has quickly become one of the most widely used open-source post-exploitation frameworks. Originally developed for adversary simulation and red-team operations, the project provides a mature platform for managing compromised systems and coordinating intrusion activity.

Screenshot: Sliver on GitHub

Several factors explain its growing adoption:

  1. Sliver is fully open source and actively maintained, which lowers the barrier for attackers compared to commercial frameworks. Operators can easily generate customized implants, modify communication profiles, and integrate the framework into automated intrusion workflows.
  2. The framework was designed with operational flexibility in mind. Sliver supports multiple Operating Systems,  communication protocols and transport mechanisms, allowing operators to adapt the command channel to the environment they are targeting. HTTP and HTTPS transports are particularly common because they blend naturally into normal enterprise traffic.
  3. Sliver incorporates built-in traffic obfuscation techniques intended to make command traffic difficult to identify. The framework can introduce timing variation between beacon requests, alter the size and structure of transmitted data, and rotate encoding mechanisms that reshape the appearance of the network traffic.

These design choices make Sliver attractive to attackers who want a capable command-and-control platform without writing custom malware. At the same time, they create a more complex detection challenge for security teams trying to identify command channels hidden within encrypted traffic.

Why beaconing is normally easier to detect

Traditional command-and-control frameworks tend to produce predictable network patterns.

If an implant checks in every 60 seconds and sends roughly the same amount of data each time, the resulting traffic pattern becomes easy to identify.

Security tools can detect these patterns by analyzing:

  • consistent timing between connections
  • repeated communication with the same destination
  • similar payload sizes across requests

To evade detection, more advanced frameworks introduce randomness into those patterns. They may vary the timing between connections or alter the size of the data transmitted in each request. These techniques create what is known as evasive beaconing, where the communication pattern still exists but becomes harder to recognize.

Many modern post-exploitation tools support these techniques out of the box.

Sliver takes the idea further.

What makes Sliver harder to detect

Most command-and-control frameworks rely on two basic evasion techniques.

The first is time jitter, where the implant randomly adjusts the delay between beacon requests. Instead of checking in every 60 seconds, it might check in after 48 seconds, then 72 seconds, then 63 seconds.

The second is data jitter, where the size of each request is slightly different. A small amount of random data may be appended to the beacon message so that the network traffic does not appear identical each time.

Sliver introduces a more sophisticated approach known as procedural data jitter.

Example of data jitter with a random amount of data appended which is easily clustered together based on only the data transfer amounts

Rather than changing just one element of the request, Sliver modifies several parameters simultaneously. Each beacon request may use a different HTTP path, a different encoding method, and a randomized value that alters the request structure.

An example of idling Sliver in HTTP beacon mode with the data jitter clustering algorithm applied (and no time jitter).

The framework supports multiple encoders, including Base64, hexadecimal encoding, gzip compression, and even encodings that transform binary data into English text or valid PNG files. Each encoding method changes the compression efficiency of the transmitted data, which produces different payload sizes across requests.

Instead of creating a single cluster of similar beacon messages, Sliver produces multiple distinct patterns in network traffic.

For detection systems that expect beacon messages to look similar, this variability breaks the pattern.

Evidence attackers are already using Sliver

Sliver is not just a red-team tool.

Security researchers have documented campaigns where attackers deployed Sliver implants after gaining access to exposed infrastructure.

One example comes from research by CtrlAltIntel, which uncovered a campaign targeting internet-facing FortiWeb appliances. After exploiting exposed systems, the attackers deployed Sliver implants disguised as system update utilities. The compromised devices began beaconing to attacker-controlled infrastructure, allowing operators to maintain remote control of the affected servers.

The investigation revealed dozens of compromised hosts communicating with the command server, illustrating how quickly open-source post-exploitation frameworks like Sliver can move from red-team tooling into real intrusion activity. These cases reflect a broader trend in intrusion activity.

Open-source post-exploitation frameworks allow attackers to operate quickly without developing custom malware. The tools provide mature command-and-control capabilities while blending in with legitimate network traffic.

For defenders, this makes identifying the command channel a critical step in detecting an active intrusion.

Why traditional detection methods struggle

Many command-an-control detection techniques rely on identifying regular communication patterns, where beacon messages occur at consistent intervals and often transmit similar amounts of data.

If most requests contain roughly the same number of bytes, the traffic pattern can be grouped into a single cluster and identified as beaconing behavior.

Sliver’s encoder rotation disrupts this assumption because each encoding method produces a different compression ratio, the resulting beacon messages fall into several distinct size ranges rather than one dominant cluster. This multi-band pattern can evade algorithms that expect beacon messages to remain similar.

In encrypted traffic, where payload inspection is not possible, these variations make detection significantly more difficult.

Attackers also frequently modify Sliver implants or deliver them through custom shellcode loaders designed to evade antivirus and endpoint detection systems. These techniques allow the payload to execute entirely in memory, reducing the chance of detection on the host. However, once the implant establishes its command channel, the beaconing communication still produces observable patterns on the network.

Detecting Sliver through behavioral analysis

Even when payloads are encrypted and unreadable, command-and-control traffic still leaves behind behavioral patterns.

The Vectra AI Platform analyzes those patterns to identify command-and-control frameworks like Sliver, even when attackers attempt to disguise their traffic with jitter, encoder rotation, or other evasion techniques.

Rather than relying on signatures or payload inspection, the platform applies deep learning models trained on large volumes of real network telemetry. These models evaluate sequences of network activity such as packet lengths, timing intervals, and communication direction between hosts to detect behavioral patterns consistent with beaconing.

Because attackers must maintain communication with the systems they compromise, that command channel remains one of the most reliable places to identify an active intrusion.

When Sliver beaconing blends into normal web traffic, those behavioral signals still stand out.

To see how the Vectra AI Platform identifies command-and-control activity like Sliver in real environments, watch the self-guided demo.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。