← Back to SOC feed Coverage →

Silenttrinity Stager Msbuild Activity

sigma HIGH SigmaHQ
T1127.001
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a possible remote connections to Silenttrinity c2

Detection Rule

Sigma (Original)

title: Silenttrinity Stager Msbuild Activity
id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
status: test
description: Detects a possible remote connections to Silenttrinity c2
references:
    - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
author: Kiran kumar s, oscd.community
date: 2020-10-11
modified: 2022-10-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\msbuild.exe'
    filter:
        DestinationPort:
            - 80
            - 443
        Initiated: 'true'
    condition: selection and filter
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imNetworkSession
| where (SrcProcessName endswith "\\msbuild.exe" or DstProcessName endswith "\\msbuild.exe") and ((DstPortNumber in~ ("80", "443")) and NetworkDirection =~ "true")

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml