2020-02-20 23:00:16 +01:00
|
|
|
title: Silence.EDA Detection
|
2019-12-19 23:56:36 +01:00
|
|
|
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
|
2019-12-15 23:30:42 +01:00
|
|
|
status: experimental
|
|
|
|
|
description: Detects Silence empireDNSagent
|
|
|
|
|
author: Alina Stepchenkova, Group-IB, oscd.community
|
|
|
|
|
date: 2019/11/01
|
2020-09-15 06:10:57 -06:00
|
|
|
modified: 2020/09/01
|
2019-12-15 23:30:42 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
|
|
|
|
detection:
|
|
|
|
|
empire:
|
|
|
|
|
ScriptBlockText|contains|all: # better to randomise the order
|
|
|
|
|
- 'System.Diagnostics.Process'
|
|
|
|
|
- 'Stop-Computer'
|
|
|
|
|
- 'Restart-Computer'
|
|
|
|
|
- 'Exception in execution'
|
|
|
|
|
- '$cmdargs'
|
|
|
|
|
- 'Close-Dnscat2Tunnel'
|
|
|
|
|
dnscat:
|
|
|
|
|
ScriptBlockText|contains|all: # better to randomise the order
|
|
|
|
|
- 'set type=$LookupType`nserver'
|
|
|
|
|
- '$Command | nslookup 2>&1 | Out-String'
|
|
|
|
|
- 'New-RandomDNSField'
|
|
|
|
|
- '[Convert]::ToString($SYNOptions, 16)'
|
|
|
|
|
- '$Session.Dead = $True'
|
|
|
|
|
- '$Session["Driver"] -eq'
|
|
|
|
|
condition: empire and dnscat
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: critical
|
2020-09-15 08:52:00 -06:00
|
|
|
tags:
|
2020-09-15 15:45:33 -06:00
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1059.001
|
|
|
|
|
- attack.t1086 # an old one
|
|
|
|
|
- attack.command_and_control
|
|
|
|
|
- attack.t1071.004
|
|
|
|
|
- attack.t1071 # an old one
|
|
|
|
|
- attack.t1572
|
|
|
|
|
- attack.impact
|
|
|
|
|
- attack.t1529
|
|
|
|
|
- attack.g0091
|
2020-09-15 06:10:57 -06:00
|
|
|
- attack.s0363
|
