HackTool - Sliver C2 Implant Activity Pattern

About the rule

Rule Type

Standard

Rule Description

Detects process activity patterns as seen being used by Sliver C2 framework implants

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Payload Delivery → Implant Execution → C2 Communication → Lateral Movement → Data Exfiltration

Impact

• Credential theft
• Privilege escalation
• Remote control
• Data exfiltration

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process tracking, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new Group Policy Object (GPO) or edit an existing one linked to the appropriate OU. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking, then enable audit events for Process Creation and Process Termination by selecting “Success.” For enhanced visibility, go to Administrative Templates > System > Audit Process Creation, enable the policy Include command line in process creation events, and apply the changes. Additionally, create the registry key "Microsoft-Windows-Security-Auditing/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ to ensure proper event logging.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Use a configuration file that includes process creation monitoring and install Sysmon with sysmon.exe -i [configfile.xml]. Ensure the configuration captures all process creations, and create the "Microsoft-Windows-Sysmon/Operational" registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist for proper logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Execution: Command and Scripting Interpreter (T1059)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

1. NIST SP 800-53 Rev. 5 – SI-4 (System Monitoring)

Requires organizations to monitor systems for unauthorized activities and security-relevant events.
Triggering this rule enables continuous system monitoring by detecting Sliver C2 implant behavior patterns, aligning with proactive threat detection requirements.

2. NIST SP 800-53 Rev. 5 – IR-5 (Incident Monitoring)

Mandates the capability to monitor, track, and respond to security incidents in a timely manner.
Triggering this rule supports real-time detection of advanced implants, enabling rapid response to command-and-control (C2) activity and reducing attacker dwell time.

3. NIST SP 800-137 – ISCM (Information Security Continuous Monitoring)

Focuses on continuous assessment and analysis of security controls to support risk-based decisions.
Triggering this rule contributes to continuous monitoring practices by flagging behavioral anomalies linked to Sliver C2 implants.

4. NIST CSF – DE.CM (Detection Processes)

Ensures that detection processes and tools are in place to identify cybersecurity events.
Triggering this rule strengthens detection capabilities by identifying known activity patterns of malicious C2 frameworks like Sliver.

Author

Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered when legitimate red team assessments or penetration tests use Sliver C2 for simulation purposes. It may also be triggered during the execution of security research tools that mimic Sliver-like behavior for testing environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected host to prevent lateral movement and further compromise within the environment.
5. Eradication: Remove the Sliver C2 implant and associated artifacts from the system, and apply patches or configuration changes to prevent reinfection.

Mitigation