Query Details

Rule Documentation: Registry Value Set for Sliver Implant Psexec execution

Sliver P Sexec

Query

DeviceRegistryEvents 
| where ActionType == 'RegistryValueSet' 
| where (RegistryValueName == 'DisplayName' and RegistryValueData == 'Sliver')
   or (RegistryValueName == 'Description' and RegistryValueData == 'Sliver implant')

About this query

Rule Documentation: Registry Value Set for Sliver Implant Psexec execution

Description

Detects registry value sets associated with the Sliver implant. https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/

Detection Logic

  • Filters DeviceRegistryEvents for actions where a registry value is set (RegistryValueSet).
  • Looks for specific registry value name and data combinations:
    • DisplayName with value Sliver.
    • Description with value Sliver implant.

Tags

  • Persistence
  • Command and Control

Search Query

Explanation

This query looks for registry value sets associated with the Sliver implant by filtering DeviceRegistryEvents for actions where a registry value is set. It specifically looks for registry value name and data combinations such as DisplayName with value Sliver and Description with value Sliver implant. The query helps detect persistence and command and control activities related to the Sliver implant.

Details

Ali Hussein profile picture

Ali Hussein

Released: May 16, 2024

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsActionTypeRegistryValueSetRegistryValueNameRegistryValueDataDisplayNameDescriptionSliver

Operators

where|==andor

Actions

GitHub