Windows Service Create SliverC2

name: Windows Service Create SliverC2
id: 89dad3ee-57ec-43dc-9044-131c4edd663f
version: 10
date: '2026-03-10'
author: Michael Haag, Splunk
type: TTP
status: production
data_source:
    - Windows Event Log System 7045
description: The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System Event log to identify this activity. This behavior is significant as it may indicate an adversary's attempt to establish persistence or execute commands remotely. If confirmed malicious, this activity could allow attackers to maintain control over the compromised system, execute arbitrary code, and further infiltrate the network.
search: |-
    `wineventlog_system` EventCode=7045 ServiceName="sliver"
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY Computer EventCode ImagePath
           ServiceName ServiceType
      | rename Computer as dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_service_create_sliverc2_filter`
how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged from the System Event log. The Windows TA for Splunk is also recommended.
known_false_positives: False positives should be limited, but if another service out there is named Sliver, filtering may be needed.
references:
    - https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16
    - https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
    - https://regex101.com/r/DWkkXm/1
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A user mode service was created on $dest$ related to SliverC2.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - BishopFox Sliver Adversary Emulation Framework
        - Compromised Windows Host
        - Hellcat Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1569.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log
          source: XmlWinEventLog:System
          sourcetype: XmlWinEventLog