Silenttrinity Stager Msbuild Activity
Detects a possible remote connections to Silenttrinity c2
Sigma rule (View on GitHub)
1title: Silenttrinity Stager Msbuild Activity
2id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
3status: test
4description: Detects a possible remote connections to Silenttrinity c2
5references:
6 - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
7author: Kiran kumar s, oscd.community
8date: 2020-10-11
9modified: 2022-10-05
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1127.001
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\msbuild.exe'
20 filter:
21 DestinationPort:
22 - 80
23 - 443
24 Initiated: 'true'
25 condition: selection and filter
26falsepositives:
27 - Unknown
28level: high
References
-
TL;DR SILENTTRINITY (ST) made the news a few times in July 2019, and I wanted to see what all the fuss was about. This article has enough information to get […]
Read More
Related rules
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Suspicious Remote Child Process From Outlook
- Suspicious Use of CSharp Interactive Console
- Potential Windows Defender Tampering Via Wmic.EXE