HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
Sigma rule (View on GitHub)
1title: HackTool - Stracciatella Execution
2id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
3status: test
4description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
5references:
6 - https://github.com/mgeeky/Stracciatella
7author: pH-T (Nextron Systems)
8date: 2023-04-17
9tags:
10 - attack.execution
11 - attack.defense-evasion
12 - attack.t1059
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\Stracciatella.exe'
20 - OriginalFileName: 'Stracciatella.exe'
21 - Description: 'Stracciatella'
22 - Hashes|contains:
23 - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
24 - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
25 - sha256:
26 - '9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
27 - 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup - mgeeky/Stracciatella
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- HackTool - CobaltStrike BOF Injection Pattern
- Install New Package Via Winget Local Manifest