HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
Sigma rule (View on GitHub)
1title: HackTool - Stracciatella Execution
2id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
3status: test
4description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
5references:
6 - https://github.com/mgeeky/Stracciatella
7author: pH-T (Nextron Systems)
8date: 2023-04-17
9modified: 2024-11-23
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1059
14 - attack.t1562.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - Image|endswith: '\Stracciatella.exe'
21 - OriginalFileName: 'Stracciatella.exe'
22 - Description: 'Stracciatella'
23 - Hashes|contains:
24 - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
25 - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
26 condition: selection
27falsepositives:
28 - Unlikely
29level: high
References
-
OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup - mgeeky/Stracciatella
Read More
Related rules
- Add Potential Suspicious New Download Source To Winget
- Elevated System Shell Spawned From Uncommon Parent Location
- Obfuscated PowerShell OneLiner Execution
- Renamed CURL.EXE Execution
- AMSI Bypass Pattern Assembly GetType