Potential COLDSTEEL Persistence Service DLL Load

 1title: Potential COLDSTEEL Persistence Service DLL Load
 2id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
 3status: test
 4description: |
 5        Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
 6references:
 7    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/05/02
10tags:
11    - attack.persistence
12    - attack.defense_evasion
13    - detection.emerging_threats
14logsource:
15    product: windows
16    category: image_load
17detection:
18    selection:
19        Image|endswith: '\svchost.exe'
20        ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

• ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o·ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...

  
  Read More

Related rules

• COLDSTEEL RAT Anonymous User Process Execution
• COLDSTEEL RAT Cleanup Command Execution
• COLDSTEEL RAT Service Persistence Execution
• Potential COLDSTEEL Persistence Service DLL Creation
• Potential COLDSTEEL RAT File Indicators