Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create image_load_susp_dotnet_csharp_streamer_rat.yml #4885

Merged
merged 4 commits into from
Jul 31, 2024
Merged

Create image_load_susp_dotnet_csharp_streamer_rat.yml #4885

merged 4 commits into from
Jul 31, 2024

Conversation

LucaInfoSec
Copy link
Contributor

@LucaInfoSec LucaInfoSec commented Jun 22, 2024
edited by nasbench
Loading

Summary of the Pull Request

Sigma rule for the CSharp Streamer RAT.

Detection is based on the default file name and path used by the CSharp Streamer RAT to write and load .NET executables.

References here:
- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/

Changelog

new: Potential CSharp Streamer RAT Loading .NET Executable Image

Example Log Event

Image loaded:
RuleName: technique_id=T1574.002,technique_name=DLL Side-Loading
UtcTime: -
ProcessGuid: {87714b33-0f0c-6528-0674-020000000400}
ProcessId: 11528
Image: C:\test\cslite.exe
ImageLoaded: C:\Users\test\AppData\Local\Temp\dat8E8A.tmp
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
Hashes: SHA1=9918492B6A1BD5ED40109B53C3ACDDD8C5F370F5,MD5=CF3C9C1E8D8B525425B5BD1DF90B7928, SHA256=C6012796E6FCCFF612B9AE0A981A56878847DCE5A9C3BB324E653A07526BE096,IMPHASH=00000000000000000000000000000000
Signed: false
Signature: -
SignatureStatus: Unavailable
User: test

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jun 22, 2024
@nasbench nasbench added the Work In Progress Some changes are needed label Jun 23, 2024
@nasbench
Copy link
Member

Thanks for the contribution @LucaInfoSec. Just a quick question did you check the code to verify the length and the allowed characters for the filename? If so, can you please share an SS or a link?

From the DFIR report link and the cyber.wtf there isn't a direct evidence.

Thanks

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Jun 24, 2024
@nasbench nasbench self-assigned this Jun 24, 2024
@LucaInfoSec
Copy link
Contributor Author

LucaInfoSec commented Jun 25, 2024
edited
Loading

Hi @nasbench, Unfortunately no, I could not get my hands on a sample of the malware so the two examples of this \dat[0-9A-Z]{4}.tmp format is the two examples provided in the report:
- dat8E8A.tmp
- dat956D.tmp
I believe the format is just any four numbers or letters (the letters and numbers most likely being hexadecimal format but in the rule I include [A-Z] instead of [A-F] just incase this assumption is incorrect). It is a rare format so it should be unlikely that it will result in false positives.

If this is not enough we can close the PR until I have more concrete evidence of this.

@nasbench nasbench removed the Work In Progress Some changes are needed label Jun 25, 2024
@nasbench
Copy link
Member

I approved from a logic perspective. But i'll need to double check that this is an expected behavior. As the cyber.wtf didn't mention it.
And looking at the 2 samples linked in that blog sample1 and sample2. VT behavior tab doesn't show that file being dropped.

I'll keep this open for a bit more.

@nasbench nasbench added Work In Progress Some changes are needed and removed Author Input Required changes the require information from original author of the rules labels Jun 25, 2024
@nasbench nasbench removed the Work In Progress Some changes are needed label Jul 31, 2024
@nasbench nasbench merged commit 6800135 into SigmaHQ:master Jul 31, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LucaInfoSec @nasbench