Open LucaInfoSec opened 6 days ago
Thanks for the contribution @LucaInfoSec. Just a quick question did you check the code to verify the length and the allowed characters for the filename? If so, can you please share an SS or a link?
From the DFIR report link and the cyber.wtf there isn't a direct evidence.
Thanks
Hi @nasbench, Unfortunately no, I could not get my hands on a sample of the malware so the two examples of this \dat[0-9A-Z]{4}.tmp format is the two examples provided in the report:
If this is not enough we can close the PR until I have more concrete evidence of this.
Summary of the Pull Request
Sigma rule for the CSharp Streamer RAT.
Detection is based on the default file name and path used by the CSharp Streamer RAT to write and load .NET executables.
References here:
Changelog
new: Potential CSharp Streamer RAT Loading .NET Executable Image
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions