Silence.EDA Detection

About the rule

Rule Type

Standard

Rule Description

Silence.EDA also known as Silence EmpireDNSAgent is a Trojan developed by the Silence APT group. It is a PowerShell-based agent designed to establish command and control (C2) over compromised systems through malicious command execution and DNS tunneling. This rule detects such command executions and DNS tunneling activity that may indicate the presence or deployment of the EmpireDNSAgent.

Severity

Critical

Rule journey

Attack chain scenario

Initial Access → Execution → PowerShell execution → Command and Control → DNS tunneling → Impact

Impact

• System compromise
• Suspicious network traffic
• Data exfiltration

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

((((( SCRIPTEXECUTED CONTAINS ""system.diagnostics.process"" ) AND( SCRIPTEXECUTED CONTAINS ""stop-computer"" ) AND( SCRIPTEXECUTED CONTAINS ""restart-computer"" ) AND( SCRIPTEXECUTED CONTAINS ""exception in execution"" ) AND( SCRIPTEXECUTED CONTAINS ""$cmdargs"" ) AND( SCRIPTEXECUTED CONTAINS ""close-dnscat2tunnel"" ) ))) AND (((( SCRIPTEXECUTED CONTAINS ""set type=$lookuptype`nserver"" ) AND( SCRIPTEXECUTED CONTAINS ""$command | nslookup 2>&1 | out-string"" ) AND( SCRIPTEXECUTED CONTAINS ""new-randomdnsfield"" ) AND( SCRIPTEXECUTED CONTAINS ""[convert]::tostring($synoptions"" ) AND( SCRIPTEXECUTED CONTAINS ""16)"" ) AND( SCRIPTEXECUTED CONTAINS ""$session.dead = $true"" ) AND( SCRIPTEXECUTED CONTAINS ""$session[\""driver\""] -eq"" ) ))))

This rule is triggered when the executed script contains the following suspicious elements:

• system.diagnostics.process: Refers to a .NET class used to start, stop, or manipulate system processes.
• stop-computer: A cmdlet used to shut down a computer.
• restart-computer: A cmdlet used to reboot a computer.
• exception in execution: A string typically found in malware scripts for error handling.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Application Layer Protocol - DNS (T1071.004), Command and Control: Protocol Tunneling (T1572); Impact: System Shutdown/Reboot (T1529); Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution involving Silence.EDA. This enables you to monitor runtime environments like PowerShell, and detect potential attempts to abuse the DNS protocol.

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected.

Similarly, this rule enables you to detect malicious network traffic and flag suspicious data transmissions.

Author

Alina Stepchenkova, Group-IB, oscd.community

Future actions

Known False Positives

This rule might be triggered when admins execute automated PowerShell scripts for legitimate software upgrades or when DNS tunneling techniques are implemented for legitimate testing.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.
5. Monitor network traffic: Track incoming and outgoing traffic, monitor traffic trends, blacklist malicious IP addresses, and block suspicious data transmissions.

Mitigation