COLDSTEEL RAT Cleanup Command Execution

calendar Mar 1, 2024 · attack.persistence attack.defense_evasion detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples

Sigma rule (View on GitHub)

 1title: COLDSTEEL RAT Cleanup Command Execution
 2id: 88516f06-ebe0-47ad-858e-ae9fd060ddea
 3status: test
 4description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/30
 9tags:
10    - attack.persistence
11    - attack.defense_evasion
12    - detection.emerging_threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\svchost.exe'
19        ParentCommandLine|contains:
20            - ' -k msupdate'
21            - ' -k msupdate2'
22            - ' -k alg'
23        Image|endswith: '\rundll32.exe'
24        CommandLine|contains:
25            - 'UpdateDriverForPlugAndPlayDevicesW'
26            - 'ServiceMain'
27            - 'DiUninstallDevice'
28    condition: selection
29falsepositives:
30    - Unlikely
31level: critical

References

  • ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o· ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...


    Read More

Related rules

to-top