Detection rules › Sigma
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: selection_eid
Provider_Name: 'Service Control Manager'
Stage 2: 1 of selection_service_1
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
Stage 3: 1 of selection_service_2
ServiceName: ['Sliver implant', Sliver]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImagePath | regex_match |
|
Provider_Name | eq |
|
ServiceName | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Invoke-Obfuscation Via Use Rundll32 - System (adds 5 filters)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System (adds 5 filters)
- Invoke-Obfuscation VAR+ Launcher - System (adds 4 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - System (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - System (adds 4 filters)
- Invoke-Obfuscation CLIP+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation STDIN+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation Via Stdin - System (adds 3 filters)
- Invoke-Obfuscation Via Use MSHTA - System (adds 2 filters)
- ProcessHacker Privilege Elevation (adds 2 filters)
- Invoke-Obfuscation Via Use Clip - System (adds 1 filter)
- Credential Dumping Tools Service Execution - System (adds 1 filter)
- Moriya Rootkit - System (adds 1 filter)
- PowerShell Scripts Installed as Services (adds 1 filter)
- Service Installed By Unusual Client - System (adds 1 filter)
- Suspicious Service Installation (adds 1 filter)
- Tap Driver Installation (adds 1 filter)
- RTCore Suspicious Service Installation (adds 1 filter)
- Service Installation in Suspicious Folder (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)