Detectionhightest
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Thu Aug 2531c51af6-e7aa-4da7-84d4-8f32cc580af2windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic3 selectors
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_1:
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
selection_service_2:
ServiceName:
- 'Sliver'
- 'Sliver implant'
condition: selection_eid and 1 of selection_service_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
31c51af6-e7aa-4da7-84d4-8f32cc580af2
Status
test
Level
high
Type
Detection
Created
Thu Aug 25
Path
rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml
Raw Tags
attack.persistenceattack.executionattack.privilege-escalationattack.t1543.003attack.t1569.002