
Summary
The Silence.EDA Detection rule is designed to identify malicious scripts associated with the Silence malware, specifically targeting its EmpireDNSAgent functionality. This detection is based on specific PowerShell commands and patterns observed in the malware's behavior, as outlined in the Group-IP threat report. The rule requires that Script Block Logging is enabled in the Windows environment to capture detailed script execution traces. The detection logic revolves around key terms and command structures indicating both Empire and its DNS tunneling tool, dnscat. If both command sets are found in script executions, the detection triggers, classifying it as a critical threat.
Categories
- Endpoint
- Windows
Data Sources
- Script
- Windows Registry
Created: 2019-11-01