title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: experimental
description: Detects Silence empireDNSagent
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2020/09/01
logsource:
    product: windows
    service: powershell
detection:
    empire:
        ScriptBlockText|contains|all:           # better to randomise the order
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
         ScriptBlockText|contains|all:          # better to randomise the order
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
falsepositives:
    - Unknown
level: critical
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
    - attack.command_and_control
    - attack.t1071.004
    - attack.t1071  # an old one
    - attack.t1572
    - attack.impact
    - attack.t1529
    - attack.g0091
    - attack.s0363