Techniques
Sample rules
Windows Service Create SliverC2
- source: splunk
- technicques:
- T1569
- T1569.002
Description
When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of “Sliver” and “Sliver Implant”. Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).
Detection logic
`wineventlog_system` EventCode=7045 ServiceName="sliver"
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_create_sliverc2_filter`