Create image_load_susp_dotnet_csharp_streamer_rat.yml

[LucaInfoSec]

Summary of the Pull Request

Sigma rule for the CSharp Streamer RAT.

Detection is based on the default file name and path used by the CSharp Streamer RAT to write and load .NET executables.

References here:

• https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
• https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/

Changelog

new: Potential CSharp Streamer RAT Loading .NET Executable Image

Example Log Event

Image loaded:
RuleName: technique_id=T1574.002,technique_name=DLL Side-Loading
UtcTime: -
ProcessGuid: {87714b33-0f0c-6528-0674-020000000400}
ProcessId: 11528
Image: C:\test\cslite.exe
ImageLoaded: C:\Users\test\AppData\Local\Temp\dat8E8A.tmp
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
Hashes: SHA1=9918492B6A1BD5ED40109B53C3ACDDD8C5F370F5,MD5=CF3C9C1E8D8B525425B5BD1DF90B7928, SHA256=C6012796E6FCCFF612B9AE0A981A56878847DCE5A9C3BB324E653A07526BE096,IMPHASH=00000000000000000000000000000000
Signed: false
Signature: -
SignatureStatus: Unavailable
User: test

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[nasbench]

Thanks for the contribution @LucaInfoSec. Just a quick question did you check the code to verify the length and the allowed characters for the filename? If so, can you please share an SS or a link?

From the DFIR report link and the cyber.wtf there isn't a direct evidence.

Thanks

[LucaInfoSec]

Hi @nasbench, Unfortunately no, I could not get my hands on a sample of the malware so the two examples of this \dat[0-9A-Z]{4}.tmp format is the two examples provided in the report:

• dat8E8A.tmp
• dat956D.tmp I believe the format is just any four numbers or letters (the letters and numbers most likely being hexadecimal format but in the rule I include [A-Z] instead of [A-F] just incase this assumption is incorrect). It is a rare format so it should be unlikely that it will result in false positives.

If this is not enough we can close the PR until I have more concrete evidence of this.

[nasbench]

I approved from a logic perspective. But i'll need to double check that this is an expected behavior. As the cyber.wtf didn't mention it. And looking at the 2 samples linked in that blog sample1 and sample2. VT behavior tab doesn't show that file being dropped.

I'll keep this open for a bit more.