Skip to content

Hide Navigation Hide TOC

HackTool - Stracciatella Execution (7a4d9232-92fc-404d-8ce1-4c92e7caf539)

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern HackTool - Stracciatella Execution (7a4d9232-92fc-404d-8ce1-4c92e7caf539) Sigma-Rules 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern HackTool - Stracciatella Execution (7a4d9232-92fc-404d-8ce1-4c92e7caf539) Sigma-Rules 1