Skip to content

quasar_and_loader #3609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: develop
Choose a base branch
from
Open

quasar_and_loader #3609

wants to merge 11 commits into from
+728 −419

Conversation

tccontre
Copy link
Contributor

@tccontre tccontre commented Jul 16, 2025
edited
Loading

Updated

  • recon_using_wmi_class.yml
  • windows_gather_victim_network_info_through_ip_check_web_services.yml
  • lookups/browser_app_list.csv

New

  • windows_unusual_filezilla_xml_config_access.yml
  • windows_unusual_intelliform_storage_registry_access.yml
  • windows_unusual_mozilla_nss_mozglue_access.yml

tag

  • chcp_command_execution.yml
  • cmd_carry_out_string_command_parameter.yml
  • executables_or_script_creation_in_suspicious_path.yml
  • non_chrome_process_accessing_chrome_default_dir.yml
  • non_firefox_process_access_firefox_profile_dir.yml
  • ping_sleep_batch_command.yml
  • recon_avproduct_through_pwh_or_wmi.yml
  • registry_keys_used_for_persistence.yml
  • runas_execution_in_commandline.yml
  • scheduled_task_deleted_or_created_via_cmd.yml
  • schtasks_scheduling_job_on_remote_system.yml
  • suspicious_scheduled_task_from_public_directory.yml
  • windows_boot_or_logon_autostart_execution_in_startup_folder.yml
  • windows_credential_access_from_browser_password_store.yml
  • windows_credentials_from_password_stores_chrome_localstate_access.yml
  • windows_credentials_from_password_stores_chrome_login_data_access.yml
  • windows_mark_of_the_web_bypass.yml
  • windows_scheduled_task_with_highest_privileges.yml
  • windows_scheduled_task_with_suspicious_command.yml
  • windows_suspicious_process_file_path.yml
  • windows_system_reboot_commandline.yml
  • windows_system_shutdown_commandline.yml
  • windows_user_execution_malicious_url_shortcut_file.yml
  • winevent_scheduled_task_created_within_public_path.yml
  • wermgr_process_connecting_to_ip_check_web_services.yml

new analytic story

  • stories/quasar_rat.yml

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

nasbench
nasbench requested changes Jul 17, 2025
View reviewed changes
detections/endpoint/executables_or_script_creation_in_suspicious_path.yml Outdated
@@ -1,7 +1,7 @@
name: Executables Or Script Creation In Suspicious Path
id: a7e3f0f0-ae42-11eb-b245-acde48001122
version: 16
date: '2025-05-06'
version: '17'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tccontre This is a comment for all the rules you changed. Please do not use the single quote in the version field

Suggested change
version: '17'
version: 17

detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml
- Powershell Script Block Logging 4104
search:
'`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText
- Powershell Script Block Logging 4104
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A lot of changes are also related to indentation. Which we want to have. So if you can avoid changing that

detections/endpoint/windows_unusual_filezilla_xml_config_access.yml Outdated
of the system.
data_source:
- Windows Event Log Security 4663
search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("*\\Filezilla.exe"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest you add the full path of FileZilla to avoid FN.

detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml Outdated
could lead to data exfiltration, credential theft, or further compromise of the system.
data_source:
- Windows Event Log Security 4663
search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("*\\iexplore.exe"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest you add full paths instead of just the process name to avoid FNs

detections/endpoint/windows_unusual_mozilla_nss_mozglue_access.yml Outdated
@@ -0,0 +1,73 @@
name: Windows Unusual Mozilla NSS-Mozglue Access
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This analytic is for ImageLoad so the title needs to be different

detections/endpoint/windows_unusual_mozilla_nss_mozglue_access.yml Outdated
Comment on lines 16 to 17
search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\mozglue.dll", "*\\nss3.dll")
NOT(process_name IN("firefox.exe", "thunderbird.exe")) NOT(process_path IN("*\\program files*"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nss3 can also be used by other processes. For example Code42 C:\Program Files\Code42\nlib\nss3.dll

For mozglue. I think its also worth filtering additional Mozilla products https://www.mozilla.org/en-US/products/

maybe install the most known and add filters

lookups/browser_app_list.csv
Comment on lines +48 to +52
"*opera.exe","*Opera Software\Opera GX Stable\Login Data*", true
"*opera.exe","*Opera Software\Opera GX Stable\Local State*", true
"*yandex.exe","*Yandex\YandexBrowser\User Data\Default\Ya Passman Data*", true
"*yandex.exe","*Yandex\YandexBrowser\User Data\Local State*", true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The corresponding lookup yaml file needs to also be updated.

detections/endpoint/ping_sleep_batch_command.yml Outdated
Comment on lines 30 to 39
as lastTime from datamodel=Endpoint.Processes where ( Processes.parent_process=
"*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*" Processes.parent_process
IN ("*&gt;*", "*>*") Processes.parent_process IN ("*&amp;*", "*& *") ) OR ( Processes.process
= "*ping*" Processes.process = *-n* Processes.process="* Nul*" Processes.process
IN ("*&gt;*", "*>*") Processes.process IN ("*&amp;*", "*& *") ) by Processes.action
Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please keep the old formatting, as its clearer to understand than this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench requested changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
Detections Lookups Stories
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tccontre @nasbench @t-contreras @patel-bhavin