Adversaries may use SILENTTRINITY to load a stager DLL as part of initial compromise, leveraging process injection to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistence and lateral movement tactics.
Detection Rule
title: HackTool - SILENTTRINITY Stager DLL Load
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation
type: derived
status: test
description: Detects SILENTTRINITY stager dll loading activity
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-17
tags:
- attack.command-and-control
- attack.t1071
logsource:
category: image_load
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where InitiatingProcessVersionInfoFileDescription contains "st2stager"Scenario: Legitimate use of PowerShell to load a DLL for a Windows Admin Center plugin
Filter/Exclusion: process.name != "pwsh.exe" OR process.name == "pwsh.exe" AND process.arguments CONTAINS "WindowsAdminCenter"
Scenario: Scheduled Task that loads a DLL as part of a Microsoft System Center integration
Filter/Exclusion: process.name == "schtasks.exe" AND process.arguments CONTAINS "/RU SYSTEM" AND process.arguments CONTAINS "SCOM"
Scenario: Administrative Tool like Windows Server Manager loading a DLL for feature installation
Filter/Exclusion: process.name == "servmgr.exe" OR process.name == "setup.exe" AND process.arguments CONTAINS "Install"
Scenario: Third-party monitoring tool (e.g., SolarWinds or PRTG) using a custom DLL for data collection
Filter/Exclusion: process.name == "SolarWinds.exe" OR process.name == "PRTGAgent.exe" AND process.arguments CONTAINS "datacollection"
Scenario: Custom DLL used by an internal CI/CD pipeline tool (e.g., Azure DevOps or Jenkins) for deployment
Filter/Exclusion: process.name == "azurepipeline.exe" OR process.name == "jenkins.exe" AND process.arguments CONTAINS "deploy" OR process.arguments CONTAINS "build"