Sliver C2beacon Loaded
Query
let ImageLoads = DeviceImageLoadEvents
| where ActionType == 'ImageLoaded'
| where FileName =~ "samlib.dll"
| where isnotempty(InitiatingProcessSHA256)
| invoke FileProfile(InitiatingProcessSHA256, 1000)
| where GlobalPrevalence <= 50 or isempty(GlobalPrevalence)
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
let UniqueHashes = toscalar (ImageLoads|summarize make_set(InitiatingProcessSHA256));
let NamedPipes = DeviceEvents
| where ActionType == 'NamedPipeEvent'
| where InitiatingProcessSHA256 in (UniqueHashes)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| where parse_json(AdditionalFields).PipeName == @"\Device\NamedPipe\wkssvc"
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, PipeName = parse_json(AdditionalFields).PipeName, ReportId;
let Connection = DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessSHA256 in (UniqueHashes)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| project Timestamp, DeviceId, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
union NamedPipes, ImageLoads, Connection
| sort by DeviceId, Timestamp asc, InitiatingProcessSHA256
| scan with_match_id=Id declare (Step:string, Delta:timespan) with (
step InitialConnection: ActionType == "ConnectionSuccess" => Step = "s1";
step NamedPipe: ActionType == 'NamedPipeEvent' and DeviceId == InitialConnection.DeviceId and InitiatingProcessSHA256 == InitialConnection.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, InitialConnection.Timestamp)) and InitiatingProcessAccountSid == InitialConnection.InitiatingProcessAccountSid => Step = 's2', Delta = Timestamp - InitialConnection.Timestamp;
step ImageLoad: ActionType == 'ImageLoaded' and DeviceId == NamedPipe.DeviceId and InitiatingProcessSHA256 == NamedPipe.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, NamedPipe.Timestamp)) and InitiatingProcessAccountSid == NamedPipe.InitiatingProcessAccountSid => Step = 's3', Delta = Timestamp - NamedPipe.Timestamp;
)
| where Step == 's3'About this query
Sliver C2 Beacon Loaded
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1134.002 | Application Layer Protocol | https://attack.mitre.org/techniques/T1071/ |
Description
A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.
- Outbound connection to C2 Server
- \wkssvc namedpipe created
- Security Access Manager loaded (samlib.dll)
Risk
C2 Beacon loaded giving an adversary hands on keyboard access to the device.
References
Defender XDR
Explanation
This KQL query is designed to detect a specific sequence of activities that indicate a Sliver C2 (Command and Control) beacon has been loaded on a device. Here's a simplified breakdown of what the query does:
-
Image Load Detection: It first looks for events where a file named
samlib.dllis loaded on a device. This file is associated with the Security Access Manager. The query filters these events to include only those where the initiating process has a low global prevalence (indicating it might be rare or suspicious). -
Named Pipe Creation: It then checks for events where a named pipe
\wkssvcis created. This is a specific type of inter-process communication that might be used by malware. The query ensures that this event is linked to the same process that loadedsamlib.dll. -
Outbound Connection: The query also looks for successful outbound network connections made by the same process. This is indicative of the process attempting to communicate with a C2 server.
-
Sequence Matching: The query combines these events in a specific order: first, the outbound connection, followed by the named pipe creation, and finally the loading of
samlib.dll. All these actions must occur within a second of each other for the detection to trigger. -
Risk: If this sequence is detected, it suggests that a C2 beacon has been loaded, potentially giving an attacker remote access to the device.
The query is structured to identify this sequence of actions and flag it as a potential security threat, helping security teams to respond to possible intrusions.
Details

Bert-Jan Pals
Released: November 12, 2025
Tables
Keywords
Operators