COLDSTEEL Persistence Service Creation

 1title: COLDSTEEL Persistence Service Creation
 2id: 3ced239c-7285-4b54-99c4-8525b69293f7
 3status: test
 4description: Detects the creation of new services potentially related to COLDSTEEL RAT
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/02
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - detection.emerging_threats
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        Provider_Name: 'Service Control Manager'
19        EventID: 7045
20        ServiceName:
21            - 'Name'
22            - 'msupdate'
23            - 'msupdate2'
24        ImagePath|contains: '\Windows\System32\svchost.exe'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: high

References

• ƒq°Çnk·eÞN¿gÇ}ãe=û|»“:ÚîbwSuô{/ëØ}í¾ÌûÙ׫†ö`û>æ#íQÌGÛ�±¬=‘ùdFÔuì§ígU{º=‹ù‹ö"eÚ‹íïu¯²×3ßhob¾ÙÞ¢Ž·Ãv�j`o·ÕÉv‘]¬,»Ô.g^iïSÍôonêø·ú·ªVþR™Êñ—û+•×¿Ç¿O5ôWûUG~ p—”á›íŽÚÍ»ý·èÈ)ÕhwU*m+%ðCe¸ÀÇp“ålEÄú...

  
  Read More

Related rules

• OilRig APT Activity
• OilRig APT Schedule Task Persistence - Security
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit