HackTool - SILENTTRINITY Stager Execution
Detects SILENTTRINITY stager use via PE metadata
Sigma rule (View on GitHub)
1title: HackTool - SILENTTRINITY Stager Execution
2id: 03552375-cc2c-4883-bbe4-7958d5a980be
3related:
4 - id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load
5 type: derived
6status: test
7description: Detects SILENTTRINITY stager use via PE metadata
8references:
9 - https://github.com/byt3bl33d3r/SILENTTRINITY
10author: Aleksey Potapov, oscd.community
11date: 2019-10-22
12modified: 2023-02-13
13tags:
14 - attack.command-and-control
15 - attack.t1071
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Description|contains: 'st2stager'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- GALLIUM Artefacts - Builtin
- GALLIUM IOCs
- HackTool - SILENTTRINITY Stager DLL Load
- Suspicious Installer Package Child Process
- ADSI-Cache File Creation By Uncommon Tool