Detection rules › Sigma
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
or:
Description: Stracciatella
Hashes|contains: 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
Hashes|contains: 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
Image|endswith: '\Stracciatella.exe'
OriginalFileName: Stracciatella.exe
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Description | eq |
|
Hashes | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|