Potential COLDSTEEL Persistence Service DLL Load

calendar Aug 12, 2024 · attack.persistence attack.defense-evasion detection.emerging-threats  ·
Share on: linkedin copy

Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism

Sigma rule (View on GitHub)

 1title: Potential COLDSTEEL Persistence Service DLL Load
 2id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
 3status: test
 4description: |
 5        Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
 6references:
 7    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-05-02
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - detection.emerging-threats
14logsource:
15    product: windows
16    category: image_load
17detection:
18    selection:
19        Image|endswith: '\svchost.exe'
20        ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

  • ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o· ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...


    Read More

Related rules

to-top