COLDSTEEL RAT Service Persistence Execution

calendar Mar 1, 2024 · attack.persistence attack.defense_evasion detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT

Sigma rule (View on GitHub)

 1title: COLDSTEEL RAT Service Persistence Execution
 2id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd
 3status: test
 4description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 7author: X__Junior (Nextron Systems)
 8date: 2023/04/30
 9tags:
10    - attack.persistence
11    - attack.defense_evasion
12    - detection.emerging_threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\svchost.exe'
19        CommandLine|endswith:
20            - ' -k msupdate'
21            - ' -k msupdate2'
22            - ' -k alg'
23    condition: selection
24falsepositives:
25    - Unlikely
26level: critical

References

  • ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o· ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...


    Read More

Related rules

to-top