Potential COLDSTEEL RAT File Indicators

 1title: Potential COLDSTEEL RAT File Indicators
 2id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
 3status: test
 4description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/30
 9tags:
10    - attack.persistence
11    - attack.defense_evasion
12    - detection.emerging_threats
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename: 'C:\users\public\Documents\dllhost.exe'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

• ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o·ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...

  
  Read More

Related rules

• COLDSTEEL RAT Anonymous User Process Execution
• COLDSTEEL RAT Cleanup Command Execution
• COLDSTEEL RAT Service Persistence Execution
• Potential COLDSTEEL Persistence Service DLL Creation
• Potential COLDSTEEL Persistence Service DLL Load