← Back to Explore
sigmahighHunting
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Detection Query
selection_eid:
Provider_Name: Service Control Manager
EventID: 7045
selection_service_1:
ImagePath|re: ^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe
selection_service_2:
ServiceName:
- Sliver
- Sliver implant
condition: selection_eid and 1 of selection_service_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-25
Data Sources
windowssystem
Platforms
windows
References
Tags
attack.persistenceattack.executionattack.privilege-escalationattack.t1543.003attack.t1569.002
Raw Content
title: Sliver C2 Default Service Installation
id: 31c51af6-e7aa-4da7-84d4-8f32cc580af2
status: test
description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_1:
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
selection_service_2:
ServiceName:
- 'Sliver'
- 'Sliver implant'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high