Emerging Threathightest

Potential CSharp Streamer RAT Loading .NET Executable Image

Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Luca Di BartolomeoCreated Sat Jun 226f6afac3-8e7a-4e4b-9588-2608ffe08f822024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Other

attack.t1219.002detection.emerging-threats

Rule Metadata

Rule ID

6f6afac3-8e7a-4e4b-9588-2608ffe08f82

Status

test

Level

high

Type

Emerging Threat

Created

Sat Jun 22

Author

Path

rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml

Raw Tags

attack.command-and-controlattack.t1219.002detection.emerging-threats