SigmaHQ/rules/apt/apt_silence_downloader_v3.yml

34 lines
997 B
YAML
Raw Normal View History

2019-12-15 22:30:42 +00:00
title: Silence.Downloader V3
id: 170901d1-de11-4de7-bccb-8fa13678d857
2019-12-15 22:30:42 +00:00
status: experimental
description: Detects Silence downloader. These commands are hardcoded into the binary.
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
date: 2019/11/01
modified: 2019/11/22
tags:
- attack.persistence
- attack.g0091
logsource:
category: process_creation
product: windows
detection:
selection_recon:
Image|endswith:
- '\tasklist.exe'
- '\qwinsta.exe'
- '\ipconfig.exe'
- '\hostname.exe'
CommandLine|contains: '>>'
CommandLine|endswith: 'temps.dat'
selection_persistence:
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
condition: selection_recon | near selection_persistence # requires both
2020-01-19 21:34:16 +00:00
fields:
- ComputerName
- User
- Image
- CommandLine
2019-12-15 22:30:42 +00:00
falsepositives:
- Unknown
level: high