Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

Silence.EDA Detection

Detects Silence EmpireDNSAgent as described in the Group-IP report

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Alina Stepchenkova, Group-IB, oscd.communityCreated Fri Nov 01Updated Mon Apr 033ceb2083-a27f-449a-be33-14ec1b7cc973windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    empire:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
group-ib.com
MITRE ATT&CK
Rule Metadata
Rule ID
3ceb2083-a27f-449a-be33-14ec1b7cc973
Status
test
Level
critical
Type
Detection
Created
Fri Nov 01
Modified
Mon Apr 03
Author
Alina Stepchenkova, Group-IB, oscd.community
Path
rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
Raw Tags
attack.executionattack.t1059.001attack.command-and-controlattack.t1071.004attack.t1572attack.impactattack.t1529attack.g0091attack.s0363
View on GitHub