KQL Search

Query Details

HomeAI ToolsDevice Query

Sliver C2beacon Loaded

Query

# Sliver C2 Beacon Loaded

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1134.002 | Application Layer Protocol | https://attack.mitre.org/techniques/T1071/ |

#### Description
A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.

1. Outbound connection to C2 Server
2. \wkssvc namedpipe created
3. Security Access Manager loaded (samlib.dll)

#### Risk
C2 Beacon loaded giving an adversary hands on keyboard access to the device.

#### References
- https://sliver.sh/

## Defender XDR
```KQL
let ImageLoads = DeviceImageLoadEvents
| where ActionType == 'ImageLoaded'
| where FileName =~ "samlib.dll"
| where isnotempty(InitiatingProcessSHA256)
| invoke FileProfile(InitiatingProcessSHA256, 1000)
| where GlobalPrevalence <= 50 or isempty(GlobalPrevalence)
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
let NamedPipes = DeviceEvents
| where ActionType == 'NamedPipeEvent'
| where isnotempty(InitiatingProcessSHA256)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| where parse_json(AdditionalFields).PipeName == @"\Device\NamedPipe\wkssvc"
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, PipeName = parse_json(AdditionalFields).PipeName, ReportId;
let Connection = DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where isnotempty(InitiatingProcessSHA256)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| project Timestamp, DeviceId, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
union NamedPipes, ImageLoads, Connection
| sort by Timestamp asc, DeviceId, InitiatingProcessSHA256
| scan with_match_id=Id declare (Step:string, Delta:timespan) with (
    step InitialConnection: ActionType == "ConnectionSuccess" => Step = "s1";
    step NamedPipe: ActionType == 'NamedPipeEvent' and DeviceId == InitialConnection.DeviceId and InitiatingProcessSHA256 == InitialConnection.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, InitialConnection.Timestamp)) and InitiatingProcessAccountSid == InitialConnection.InitiatingProcessAccountSid => Step = 's2', Delta = Timestamp - InitialConnection.Timestamp;
    step ImageLoad: ActionType == 'ImageLoaded' and DeviceId == NamedPipe.DeviceId and InitiatingProcessSHA256 == NamedPipe.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, NamedPipe.Timestamp)) and InitiatingProcessAccountSid == NamedPipe.InitiatingProcessAccountSid  => Step = 's3', Delta = Timestamp - NamedPipe.Timestamp;
)
| where Step == 's3'
```

Explanation

This KQL query is designed to detect a specific sequence of events that indicate a Sliver C2 beacon has been loaded on a device. Here's a simplified breakdown of the query:

  1. ImageLoads: This part of the query identifies when the samlib.dll file is loaded on a device. It filters for events where this file is loaded and checks the prevalence of the initiating process to ensure it's not commonly seen (indicating potential malicious activity).

  2. NamedPipes: This section looks for events where a named pipe (\wkssvc) is created. It joins this data with the ImageLoads data to ensure the same process is involved, indicating a potential sequence of malicious actions.

  3. Connection: This part identifies successful outbound network connections. It also joins with the ImageLoads data to ensure the same process is responsible for the connection, suggesting it might be communicating with a Command and Control (C2) server.

  4. Sequence Detection: The query then combines these events to detect a specific sequence:

    • First, a successful network connection (ConnectionSuccess).
    • Followed by the creation of a named pipe (NamedPipeEvent) within one second of the connection.
    • Finally, the loading of samlib.dll (ImageLoaded) within one second of the named pipe event.

  5. Result: If all these steps occur in sequence, it indicates that a Sliver C2 beacon might be loaded, giving an adversary potential control over the device.

The query is structured to identify this sequence of actions within a very short timeframe, highlighting suspicious activity that could indicate a security threat.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 6, 2025

Tables

DeviceImageLoadEventsDeviceEventsDeviceNetworkEvents

Keywords

Device

Operators

let|where===~isnotemptyinvokeorprojectjoinkind=inneronparse_jsondistinct==unionsort byscanwith_match_iddeclarestepbetweendatetime_add=>

Actions