This pack detects various artefacts left behind by default configurations of the C2 framework Sliver PsExec module
name: Windows.System.Services.SliverPsexec
description: |
This pack detects various artefacts left behind by default configurations of the C2 framework Sliver PsExec module
Reference: https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Zach Stanford - @svch0st
precondition:
SELECT OS from info() where OS = "windows"
sources:
- name: Sliver PsExec - Services Registry Key
query: |
SELECT * FROM Artifact.Windows.System.Services()
WHERE Name =~ "^Sliver" or
DisplayName =~ "^Sliver" or
Description =~ "Sliver implant" or
PathName =~ ":\\\\Windows\\\\Temp\\\\[a-zA-Z0-9]{10}\\.exe"
- name: Sliver PsExec - Service Installed Event Log
query: |
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(PathRegex="System.evtx",IdRegex="^7045$")
WHERE EventData.ServiceName =~ "^Sliver$" or
EventData.ImagePath =~ ":\\\\Windows\\\\Temp\\\\[a-zA-Z0-9]{10}\\.exe"