Potential COLDSTEEL RAT File Indicators

calendar Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats  ·
Share on: linkedin copy

Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents" directory. Seen being used by the COLDSTEEL RAT in some of its variants.

Sigma rule (View on GitHub)

 1title: Potential COLDSTEEL RAT File Indicators
 2id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
 3status: test
 4description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-04-30
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - detection.emerging-threats
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename: 'C:\users\public\Documents\dllhost.exe'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

  • ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o· ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...


    Read More

Related rules

to-top