Merge PR #4885 from @LucaInfoSec - Add `Potential CSharp Streamer RAT…

… Loading .NET Executable Image` new: Potential CSharp Streamer RAT Loading .NET Executable Image --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Jul 31, 2024 · 6800135 · 6800135
1 parent 42f90bb
commit 6800135
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/...g-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml b/...g-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml
@@ -0,0 +1,23 @@
+title: Potential CSharp Streamer RAT Loading .NET Executable Image
+id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
+status: experimental
+description: |
+    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
+references:
+    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
+    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
+author: Luca Di Bartolomeo
+date: 2024/06/22
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high