Silenttrinity Stager Msbuild Activity

Detects a possible remote connections to Silenttrinity c2

Sigma rule (View on GitHub)

 1title: Silenttrinity Stager Msbuild Activity
 2id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
 3status: test
 4description: Detects a possible remote connections to Silenttrinity c2
 5references:
 6    - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
 7author: Kiran kumar s, oscd.community
 8date: 2020-10-11
 9modified: 2022-10-05
10tags:
11    - attack.execution
12    - attack.t1127.001
13logsource:
14    category: network_connection
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\msbuild.exe'
19    filter:
20        DestinationPort:
21            - 80
22            - 443
23        Initiated: 'true'
24    condition: selection and filter
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top