Query Details

Sliver C2beacon Loaded

Query

let ImageLoads = DeviceImageLoadEvents
| where ActionType == 'ImageLoaded'
| where FileName =~ "samlib.dll"
| where isnotempty(InitiatingProcessSHA256)
| invoke FileProfile(InitiatingProcessSHA256, 1000)
| where GlobalPrevalence <= 50 or isempty(GlobalPrevalence)
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
let UniqueHashes = toscalar (ImageLoads|summarize make_set(InitiatingProcessSHA256)); 
let NamedPipes = DeviceEvents
| where ActionType == 'NamedPipeEvent'
| where InitiatingProcessSHA256 in (UniqueHashes)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| where parse_json(AdditionalFields).PipeName == @"\Device\NamedPipe\wkssvc"
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, PipeName = parse_json(AdditionalFields).PipeName, ReportId;
let Connection = DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessSHA256 in (UniqueHashes)
| join kind=inner (ImageLoads | distinct InitiatingProcessSHA256) on InitiatingProcessSHA256
| project Timestamp, DeviceId, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessAccountSid, ReportId;
union NamedPipes, ImageLoads, Connection
| sort by DeviceId, Timestamp asc, InitiatingProcessSHA256
| scan with_match_id=Id declare (Step:string, Delta:timespan) with (
    step InitialConnection: ActionType == "ConnectionSuccess" => Step = "s1";
    step NamedPipe: ActionType == 'NamedPipeEvent' and DeviceId == InitialConnection.DeviceId and InitiatingProcessSHA256 == InitialConnection.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, InitialConnection.Timestamp)) and InitiatingProcessAccountSid == InitialConnection.InitiatingProcessAccountSid => Step = 's2', Delta = Timestamp - InitialConnection.Timestamp;
    step ImageLoad: ActionType == 'ImageLoaded' and DeviceId == NamedPipe.DeviceId and InitiatingProcessSHA256 == NamedPipe.InitiatingProcessSHA256 and Timestamp between (Timestamp .. datetime_add('second', 1, NamedPipe.Timestamp)) and InitiatingProcessAccountSid == NamedPipe.InitiatingProcessAccountSid  => Step = 's3', Delta = Timestamp - NamedPipe.Timestamp;
)
| where Step == 's3'

About this query

Sliver C2 Beacon Loaded

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1134.002Application Layer Protocolhttps://attack.mitre.org/techniques/T1071/

Description

A Sliver C2 beacon performs the below activities in sequence within a second. The detection combines these sigals in that particular sequence to detect a loaded beacon.

  1. Outbound connection to C2 Server
  2. \wkssvc namedpipe created
  3. Security Access Manager loaded (samlib.dll)

Risk

C2 Beacon loaded giving an adversary hands on keyboard access to the device.

References

Defender XDR

Explanation

This KQL query is designed to detect a specific sequence of activities that indicate a Sliver C2 (Command and Control) beacon has been loaded on a device. Here's a simplified breakdown of what the query does:

  1. Image Load Detection: It first looks for events where a file named samlib.dll is loaded on a device. This file is associated with the Security Access Manager. The query filters these events to include only those where the initiating process has a low global prevalence (indicating it might be rare or suspicious).

  2. Named Pipe Creation: It then checks for events where a named pipe \wkssvc is created. This is a specific type of inter-process communication that might be used by malware. The query ensures that this event is linked to the same process that loaded samlib.dll.

  3. Outbound Connection: The query also looks for successful outbound network connections made by the same process. This is indicative of the process attempting to communicate with a C2 server.

  4. Sequence Matching: The query combines these events in a specific order: first, the outbound connection, followed by the named pipe creation, and finally the loading of samlib.dll. All these actions must occur within a second of each other for the detection to trigger.

  5. Risk: If this sequence is detected, it suggests that a C2 beacon has been loaded, potentially giving an attacker remote access to the device.

The query is structured to identify this sequence of actions and flag it as a potential security threat, helping security teams to respond to possible intrusions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 12, 2025

Tables

DeviceImageLoadEventsDeviceEventsDeviceNetworkEvents

Keywords

DeviceImageFileProcessAccountNetworkEventTimestampPipeReport

Operators

let|where===~isnotemptyinvokeorisemptyprojecttoscalarsummarizemake_setinjoinkind=inneronparse_jsondistinctasunionsort byascscanwith_match_iddeclarestepbetweendatetime_addand

MITRE Techniques

Actions

GitHub