mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
924e1feb54
* Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
29 lines
929 B
YAML
29 lines
929 B
YAML
title: Silence.Downloader V3
|
|
id: 170901d1-de11-4de7-bccb-8fa13678d857
|
|
status: experimental
|
|
description: Detects Silence downloader. These commands are hardcoded into the binary.
|
|
author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
|
|
date: 2019/11/01
|
|
modified: 2019/11/22
|
|
tags:
|
|
- attack.persistence
|
|
- attack.g0091
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_recon:
|
|
Image|endswith:
|
|
- '\tasklist.exe'
|
|
- '\qwinsta.exe'
|
|
- '\ipconfig.exe'
|
|
- '\hostname.exe'
|
|
CommandLine|contains: '>>'
|
|
CommandLine|endswith: 'temps.dat'
|
|
selection_persistence:
|
|
CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
|
|
condition: selection_recon | near selection_persistence # requires both
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|