Silence.EDA Detection

calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.command-and-control attack.t1071.004 attack.t1572 attack.impact attack.t1529 attack.g0091 attack.s0363  ·
Share on: linkedin copy

Detects Silence EmpireDNSAgent as described in the Group-IP report

Sigma rule (View on GitHub)

 1title: Silence.EDA Detection
 2id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
 3status: test
 4description: Detects Silence EmpireDNSAgent as described in the Group-IP report
 5references:
 6    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
 7author: Alina Stepchenkova, Group-IB, oscd.community
 8date: 2019-11-01
 9modified: 2023-04-03
10tags:
11    - attack.execution
12    - attack.t1059.001
13    - attack.command-and-control
14    - attack.t1071.004
15    - attack.t1572
16    - attack.impact
17    - attack.t1529
18    - attack.g0091
19    - attack.s0363
20logsource:
21    product: windows
22    category: ps_script
23    definition: 'Requirements: Script Block Logging must be enabled'
24detection:
25    empire:
26        # better to randomise the order
27        ScriptBlockText|contains|all:
28            - 'System.Diagnostics.Process'
29            - 'Stop-Computer'
30            - 'Restart-Computer'
31            - 'Exception in execution'
32            - '$cmdargs'
33            - 'Close-Dnscat2Tunnel'
34    dnscat:
35        # better to randomise the order
36        ScriptBlockText|contains|all:
37            - 'set type=$LookupType`nserver'
38            - '$Command | nslookup 2>&1 | Out-String'
39            - 'New-RandomDNSField'
40            - '[Convert]::ToString($SYNOptions, 16)'
41            - '$Session.Dead = $True'
42            - '$Session["Driver"] -eq'
43    condition: empire and dnscat
44falsepositives:
45    - Unknown
46level: critical

References

Related rules

to-top