diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 8c021a0d09..88229994cd 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,16 +1,16 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation - events. This activity is significant because it can indicate the presence of malware, such - as IcedID, which uses this technique to determine the locale region, language, or - country of the compromised host. If confirmed malicious, this could lead to further + events. This activity is significant because it can indicate the presence of malware, + such as IcedID, which uses this technique to determine the locale region, language, + or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. data_source: - Sysmon EventID 1 @@ -33,7 +33,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: other tools or script may used this to change code page to UTF-* or others +known_false_positives: other tools or script may used this to change code page to + UTF-* or others references: - https://ss64.com/nt/chcp.html - https://twitter.com/tccontre18/status/1419941156633329665?s=20 @@ -64,10 +65,11 @@ rba: threat_objects: [] tags: analytic_story: + - IcedID - Azorult - - Forest Blizzard - Crypto Stealer - - IcedID + - Quasar RAT + - Forest Blizzard asset_type: Endpoint mitre_attack_id: - T1059 diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 40cc33b0ab..91323e336c 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 12 -date: '2025-05-26' +version: 13 +date: '2025-07-16' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -42,27 +42,28 @@ references: tags: analytic_story: - PlugX + - Warzone RAT + - Data Destruction - Winter Vivern - - Rhysida Ransomware - - Malicious Inno Setup Loader - - DarkGate Malware + - WhisperGate - ProxyNotShell - - Log4Shell CVE-2021-44228 - - Azorult - - Living Off The Land - - Qakbot + - DarkGate Malware - Chaos Ransomware + - Hermetic Wiper + - Quasar RAT + - Rhysida Ransomware + - DarkCrystal RAT + - Qakbot - IcedID - - Data Destruction + - CISA AA23-347A + - Azorult + - Living Off The Land - Crypto Stealer - - WhisperGate + - Malicious Inno Setup Loader - NjRAT - AsyncRAT - - CISA AA23-347A - - Hermetic Wiper - RedLine Stealer - - DarkCrystal RAT - - Warzone RAT + - Log4Shell CVE-2021-44228 asset_type: Endpoint cve: - CVE-2021-44228 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 54418ceef5..4b15528b4a 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 16 -date: '2025-05-06' +version: 17 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -18,10 +18,10 @@ data_source: search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", - "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\windows\\fonts\\*", - "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", - "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", - "*\\Windows\\repair\\*", "*\\PerfLogs\\*") + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN + ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", + "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", + "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id @@ -63,50 +63,51 @@ rba: type: file_name tags: analytic_story: - - AcidPour + - PlugX + - Warzone RAT + - Swift Slicer + - Data Destruction - AgentTesla - - Amadey - - AsyncRAT - - Azorult - - BlackByte Ransomware + - LockBit Ransomware + - Volt Typhoon - Brute Ratel C4 - - Cactus Ransomware + - Industroyer2 + - WhisperGate + - DarkGate Malware - Chaos Ransomware + - ValleyRAT + - XMRig + - Hermetic Wiper + - Remcos + - Quasar RAT + - Rhysida Ransomware + - DarkCrystal RAT + - Qakbot + - Snake Keylogger - China-Nexus Threat Activity - - Crypto Stealer + - IcedID - CISA AA23-347A - - DarkCrystal RAT - - DarkGate Malware - - Data Destruction - - Derusbi - - Double Zero Destructor - - Graceful Wipe Out Attack + - Azorult - Handala Wiper - - Hermetic Wiper - - IcedID - - Industroyer2 - - LockBit Ransomware - - Meduza Stealer - - MoonPeak + - Crypto Stealer + - Salt Typhoon + - Earth Alux + - Double Zero Destructor + - Trickbot + - Cactus Ransomware + - BlackByte Ransomware + - SystemBC + - AcidPour - NjRAT - - PlugX - - Qakbot + - Graceful Wipe Out Attack + - Amadey + - Derusbi + - AsyncRAT - RedLine Stealer - - Remcos - - Rhysida Ransomware - - Salt Typhoon - SnappyBee - - Snake Keylogger - - Swift Slicer - - SystemBC - - Trickbot - - ValleyRAT - - Volt Typhoon - - Warzone RAT - - WhisperGate + - Meduza Stealer - WinDealer RAT - - XMRig - - Earth Alux + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 17e0056aa0..900be3ad2d 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 11 -date: '2025-05-25' +version: 12 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,12 +15,11 @@ description: The following analytic detects a non-Chrome process accessing files and further compromise of the affected system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 - NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" - | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `non_chrome_process_accessing_chrome_default_dir_filter`' +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", + "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User + Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by + ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." @@ -50,21 +49,22 @@ rba: threat_objects: [] tags: analytic_story: - - AgentTesla - - Snake Keylogger - CISA AA23-347A - - China-Nexus Threat Activity - - Remcos - - FIN7 - Phemedrone Stealer - - SnappyBee - - RedLine Stealer - - Warzone RAT - - Salt Typhoon - - 3CX Supply Chain Attack - DarkGate Malware - NjRAT - Malicious Inno Setup Loader + - Salt Typhoon + - Remcos + - Warzone RAT + - Quasar RAT + - 3CX Supply Chain Attack + - AgentTesla + - FIN7 + - SnappyBee + - RedLine Stealer + - Snake Keylogger + - China-Nexus Threat Activity asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 5ea450fb78..8eecf58198 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: '10' -date: '2025-05-26' +version: 11 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,22 +48,23 @@ rba: threat_objects: [] tags: analytic_story: - - NjRAT - - Snake Keylogger - - AgentTesla - DarkGate Malware - - China-Nexus Threat Activity - - 3CX Supply Chain Attack - - Malicious Inno Setup Loader - CISA AA23-347A + - NjRAT - Phemedrone Stealer - Azorult - - Remcos - - RedLine Stealer - Salt Typhoon + - Remcos - Warzone RAT + - Quasar RAT + - 3CX Supply Chain Attack + - AgentTesla + - RedLine Stealer - SnappyBee + - Malicious Inno Setup Loader - FIN7 + - Snake Keylogger + - China-Nexus Threat Activity asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 67537afc32..db340f5b20 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,19 +1,28 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 10 -date: '2025-05-19' +version: 11 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: | - The following analytic identifies the execution of ping sleep batch commands. +description: 'The following analytic identifies the execution of ping sleep batch + commands. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on + process and parent process command-line details. This activity is significant as + it indicates an attempt to delay malicious code execution, potentially evading detection + or sandbox analysis. If confirmed malicious, this technique allows attackers to + bypass security measures, making it harder to detect and analyze their activities, + thereby increasing the risk of prolonged unauthorized access and potential data + exfiltration. + + ' data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 @@ -79,11 +88,12 @@ rba: threat_objects: [] tags: analytic_story: + - Warzone RAT + - Quasar RAT - Data Destruction + - Meduza Stealer - WhisperGate - BlackByte Ransomware - - Warzone RAT - - Meduza Stealer asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 5519cbc03d..69c83321f3 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,12 +1,11 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 10 -date: '2025-06-24' +version: 11 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: TTP -description: - The following analytic detects suspicious PowerShell script execution +description: The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like "SELECT," "WMIC," "AntiVirusProduct," @@ -15,73 +14,71 @@ description: aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint. data_source: - - Powershell Script Block Logging 4104 -search: - '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText +- Powershell Script Block Logging 4104 +search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`' -how_to_implement: - To successfully implement this analytic, you will need to enable +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. known_false_positives: network administrator may used this command for checking purposes references: - - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ - - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. - - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 - - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html +- https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ +- https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. +- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 +- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf +- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ +- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: - - name: View the detection results for - "$dest$" and "$user_id$" - search: '%original_detection_search% | search dest = "$dest$" user_id = "$user_id$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user_id$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", - "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) - as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk - Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$dest$" and "$user_id$" + search: '%original_detection_search% | search dest = "$dest$" user_id = "$user_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: A suspicious powershell script contains AV recon command on host $dest$ risk_objects: - - field: dest - type: system - score: 56 - - field: user_id - type: user - score: 56 + - field: dest + type: system + score: 56 + - field: user_id + type: user + score: 56 threat_objects: [] tags: analytic_story: - - Malicious PowerShell - - Data Destruction - - Prestige Ransomware - - Hermetic Wiper - - Ransomware - - Qakbot - - MoonPeak - - XWorm - - Windows Post-Exploitation + - XWorm + - Ransomware + - Hermetic Wiper + - Prestige Ransomware + - Quasar RAT + - Malicious PowerShell + - Data Destruction + - MoonPeak + - Qakbot + - Windows Post-Exploitation asset_type: Endpoint mitre_attack_id: - - T1592 + - T1592 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 7f67093d6e..6db866dc90 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,12 +1,11 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 9 -date: '2025-06-24' +version: 10 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: - The following analytic detects suspicious PowerShell activity via EventCode +description: The following analytic detects suspicious PowerShell activity via EventCode 4104, where WMI performs event queries to gather information on running processes or services. This detection leverages PowerShell Script Block Logging to identify specific WMI queries targeting system information classes like Win32_Bios and Win32_OperatingSystem. @@ -15,81 +14,77 @@ description: could gain detailed system information, aiding in further exploitation or lateral movement within the network. data_source: - - Powershell Script Block Logging 4104 -search: - '`powershell` EventCode=4104 (ScriptBlockText= "*SELECT*" OR ScriptBlockText= - "*Get-WmiObject*") AND (ScriptBlockText= "*Win32_Bios*" OR ScriptBlockText= "*Win32_OperatingSystem*" - OR ScriptBlockText= "*Win32_Processor*" OR ScriptBlockText= "*Win32_ComputerSystem*" - OR ScriptBlockText= "*Win32_PnPEntity*" OR ScriptBlockText= "*Win32_ShadowCopy*" - OR ScriptBlockText= "*Win32_DiskDrive*" OR ScriptBlockText= "*Win32_PhysicalMemory*") - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest - signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID - ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +- Powershell Script Block Logging 4104 +search: '`powershell` EventCode=4104 AND ScriptBlockText IN ("*SELECT*", "*Get-WmiObject*") + AND ScriptBlockText IN ("*Win32_Bios*", "*Win32_OperatingSystem*", "*Win32_Processor*", + "*Win32_ComputerSystem*", "*Win32_PnPEntity*", "*Win32_ShadowCopy*", "*Win32_DiskDrive*", + "*Win32_PhysicalMemory*", "*Win32_BaseBoard*", "*Win32_DisplayConfiguration*") | + fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature + signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId + ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_using_wmi_class_filter`' -how_to_implement: - To successfully implement this analytic, you will need to enable +how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. known_false_positives: network administrator may used this command for checking purposes references: - - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ - - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. - - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 - - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf - - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ - - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html - - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ - - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html +- https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ +- https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. +- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 +- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf +- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ +- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html +- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ +- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html drilldown_searches: - - name: View the detection results for - "$dest$" and "$user_id$" - search: '%original_detection_search% | search dest = "$dest$" user_id = "$user_id$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user_id$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", - "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) - as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk - Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$dest$" and "$user_id$" + search: '%original_detection_search% | search dest = "$dest$" user_id = "$user_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: - A suspicious powershell script contains host recon commands detected on + message: A suspicious powershell script contains host recon commands detected on host $dest$ risk_objects: - - field: dest - type: system - score: 60 - - field: user_id - type: user - score: 60 + - field: dest + type: system + score: 60 + - field: user_id + type: user + score: 60 threat_objects: [] tags: analytic_story: - - AsyncRAT - - LockBit Ransomware - - Malicious PowerShell - - Malicious Inno Setup Loader - - Hermetic Wiper - - Data Destruction - - Qakbot - - Industroyer2 - - MoonPeak + - Hermetic Wiper + - Quasar RAT + - Malicious PowerShell + - Data Destruction + - AsyncRAT + - MoonPeak + - LockBit Ransomware + - Malicious Inno Setup Loader + - Qakbot + - Industroyer2 asset_type: Endpoint mitre_attack_id: - - T1592 - - T1059.001 + - T1592 + - T1059.001 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index f1ff8be9f2..b44ab34fe3 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: '22' -date: '2025-05-06' +version: 23 +date: '2025-07-16' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -78,40 +78,41 @@ rba: threat_objects: [] tags: analytic_story: - - DHS Report TA18-074A - - CISA AA23-347A - - Chaos Ransomware - - China-Nexus Threat Activity - - IcedID - - BlackByte Ransomware - - Qakbot - - MoonPeak - Warzone RAT + - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns + - Sneaky Active Directory Persistence Tricks - Windows Registry Abuse + - Chaos Ransomware + - DarkGate Malware + - Remcos + - Quasar RAT - Braodo Stealer - - Derusbi - - AsyncRAT - - RedLine Stealer - - Suspicious MSHTA Activity + - Qakbot + - Snake Keylogger + - China-Nexus Threat Activity + - IcedID + - CISA AA23-347A + - Ransomware + - XWorm + - Azorult - Salt Typhoon - Cactus Ransomware - - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns - - Windows Persistence Techniques - - WinDealer RAT + - BlackSuit Ransomware + - BlackByte Ransomware + - SystemBC + - NjRAT + - DHS Report TA18-074A + - Derusbi - Amadey + - Suspicious MSHTA Activity - Suspicious Windows Registry Activities - - NjRAT - - Sneaky Active Directory Persistence Tricks - - BlackSuit Ransomware - - Ransomware - - XWorm - - SnappyBee - - Azorult - Emotet Malware DHS Report TA18-201A - - Snake Keylogger - - Remcos - - SystemBC - - DarkGate Malware + - WinDealer RAT + - AsyncRAT + - RedLine Stealer + - SnappyBee + - Windows Persistence Techniques + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 627cc91d88..5922233ce2 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -1,7 +1,7 @@ name: Runas Execution in CommandLine id: 4807e716-43a4-11ec-a0e7-acde48001122 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -43,9 +43,10 @@ references: - https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/ tags: analytic_story: + - Quasar RAT - Data Destruction - - Hermetic Wiper - Windows Privilege Escalation + - Hermetic Wiper asset_type: Endpoint mitre_attack_id: - T1134.001 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 59e1a41875..1e44e69158 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: '17' -date: '2025-05-06' +version: 18 +date: '2025-07-16' author: Bhavin Patel, Splunk status: production type: TTP @@ -71,34 +71,35 @@ rba: threat_objects: [] tags: analytic_story: - - DHS Report TA18-074A - - Phemedrone Stealer - - CISA AA23-347A - - China-Nexus Threat Activity - - MoonPeak - ShrinkLocker - - Medusa Ransomware - - Prestige Ransomware - - AsyncRAT - - Sandworm Tools - - RedLine Stealer - - Living Off The Land - - Salt Typhoon - - Windows Persistence Techniques - - Amadey - - Winter Vivern - AgentTesla - - NjRAT - - XWorm + - CISA AA24-241A + - Winter Vivern + - Quasar RAT + - Rhysida Ransomware + - Sandworm Tools - DarkCrystal RAT + - Qakbot + - China-Nexus Threat Activity + - XWorm + - CISA AA23-347A - Azorult - - CISA AA24-241A + - Living Off The Land + - Salt Typhoon + - Trickbot - NOBELIUM Group - CISA AA22-257A + - Medusa Ransomware + - Phemedrone Stealer + - NjRAT + - DHS Report TA18-074A - Scheduled Tasks - - Rhysida Ransomware - - Qakbot - - Trickbot + - Prestige Ransomware + - Amadey + - AsyncRAT + - RedLine Stealer + - Windows Persistence Techniques + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 782f5f781d..6b43578d71 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -1,7 +1,7 @@ name: Schtasks scheduling job on remote system id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6 -version: 15 -date: '2025-05-19' +version: 16 +date: '2025-07-16' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP @@ -69,14 +69,15 @@ rba: type: process_name tags: analytic_story: - - Active Directory Lateral Movement - - Living Off The Land + - Scheduled Tasks - Phemedrone Stealer + - Living Off The Land - Prestige Ransomware + - Quasar RAT + - RedLine Stealer + - Active Directory Lateral Movement - NOBELIUM Group - - Scheduled Tasks - Compromised Windows Host - - RedLine Stealer asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 1f5f2802a3..3989f0ac88 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: '13' -date: '2025-05-26' +version: 14 +date: '2025-07-16' author: Michael Haag, Splunk status: production type: Anomaly @@ -69,22 +69,23 @@ rba: threat_objects: [] tags: analytic_story: - - DarkCrystal RAT - - China-Nexus Threat Activity - - Windows Persistence Techniques - - Ryuk Ransomware + - XWorm - Medusa Ransomware - - Malicious Inno Setup Loader - CISA AA23-347A - Azorult + - Scheduled Tasks - Living Off The Land + - Ransomware - Crypto Stealer - Salt Typhoon - - XWorm + - Quasar RAT + - DarkCrystal RAT + - Ryuk Ransomware - CISA AA24-241A - - Scheduled Tasks - - Ransomware + - Malicious Inno Setup Loader + - Windows Persistence Techniques - MoonPeak + - China-Nexus Threat Activity asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 3d24ced584..ee1f1aaa2c 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,7 +1,7 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: '8' -date: '2025-05-06' +version: 9 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,12 +55,13 @@ rba: threat_objects: [] tags: analytic_story: + - XWorm - Chaos Ransomware - - Gozi Malware - NjRAT - - RedLine Stealer - - XWorm - Crypto Stealer + - Gozi Malware + - Quasar RAT + - RedLine Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 2ac2a4c2f0..1c6b1e875a 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 12 -date: '2025-05-26' +version: 13 +date: '2025-07-16' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 @@ -60,16 +60,17 @@ rba: threat_objects: [] tags: analytic_story: - - Snake Keylogger - - China-Nexus Threat Activity - - Meduza Stealer - - Malicious Inno Setup Loader + - Salt Typhoon - Earth Alux + - Quasar RAT - PXA Stealer - - Salt Typhoon - - Braodo Stealer - SnappyBee + - Malicious Inno Setup Loader + - Braodo Stealer - MoonPeak + - Snake Keylogger + - China-Nexus Threat Activity + - Meduza Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index f7d27a8279..03504d56f5 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 12 -date: '2025-05-26' +version: 13 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,22 +51,23 @@ rba: threat_objects: [] tags: analytic_story: - - NjRAT - - Snake Keylogger - DarkGate Malware - - China-Nexus Threat Activity - - Meduza Stealer - - Amadey - Malicious Inno Setup Loader + - NjRAT - Phemedrone Stealer - - Earth Alux - - RedLine Stealer - - PXA Stealer - Salt Typhoon - - Braodo Stealer + - Amadey + - Earth Alux - Warzone RAT + - Quasar RAT + - PXA Stealer + - RedLine Stealer - SnappyBee + - Meduza Stealer + - Braodo Stealer - MoonPeak + - Snake Keylogger + - China-Nexus Threat Activity asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index db2ed5556d..7b9aa8240d 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 12 -date: '2025-05-26' +version: 13 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,22 +52,23 @@ rba: threat_objects: [] tags: analytic_story: - - NjRAT - - Snake Keylogger - DarkGate Malware - - China-Nexus Threat Activity - - Meduza Stealer - - Amadey - Malicious Inno Setup Loader + - NjRAT - Phemedrone Stealer - - Earth Alux - - RedLine Stealer - - PXA Stealer - Salt Typhoon - - Braodo Stealer + - Amadey + - Earth Alux - Warzone RAT + - Quasar RAT + - PXA Stealer + - RedLine Stealer - SnappyBee + - Meduza Stealer + - Braodo Stealer - MoonPeak + - Snake Keylogger + - China-Nexus Threat Activity asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index f1c47c04c3..b136ed8b9b 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -1,7 +1,7 @@ name: Windows Mark Of The Web Bypass id: 8ca13343-7405-4916-a2d1-ae34ce0c28ae -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -52,6 +52,7 @@ rba: threat_objects: [] tags: analytic_story: + - Quasar RAT - Warzone RAT asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 23e484a116..79c95da0db 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: '9' -date: '2025-05-06' +version: 10 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -65,12 +65,13 @@ rba: threat_objects: [] tags: analytic_story: - - Compromised Windows Host + - XWorm - CISA AA23-347A - - AsyncRAT - Scheduled Tasks + - Quasar RAT + - AsyncRAT - RedLine Stealer - - XWorm + - Compromised Windows Host asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml index fd443f4714..af7c1104ea 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml @@ -1,28 +1,39 @@ name: Windows Scheduled Task with Suspicious Command id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3 -version: 3 -date: '2025-05-02' +version: 4 +date: '2025-07-16' author: Steven Dick status: production type: TTP -description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. -data_source: +description: The following analytic detects the creation of scheduled tasks designed + to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or + Cscript or from public folders such as Users, Temp, or ProgramData. It leverages + Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are + registered, enabled, or modified. This activity is significant as it may indicate + an attempt to establish persistence or execute malicious commands on a system. If + confirmed malicious, this could allow an attacker to maintain access, execute arbitrary + code, or escalate privileges, posing a severe threat to the environment. +data_source: - Windows Event Log Security 4698 - Windows Event Log Security 4700 - Windows Event Log Security 4702 -search: |- - `wineventlog_security` EventCode IN (4698,4700,4702) - | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) - | xmlkv TaskContent - | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Caller_User_Name, TaskName, Command, Enabled, Hidden, EventCode - | lookup windows_suspicious_tasks task_command as Command - | where tool == "shell command use" OR tool == "suspicious paths" - | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer, signature_id = EventCode - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_scheduled_task_with_suspicious_command_filter` -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. Windows Defender, Google Chrome, and MS Edge updates may trigger this detection. +search: "`wineventlog_security` EventCode IN (4698,4700,4702)\n| eval TaskContent\ + \ = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent)\n| xmlkv TaskContent\n\ + | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as\ + \ Arguments latest(Author) as Author by Computer, Caller_User_Name, TaskName, Command,\ + \ Enabled, Hidden, EventCode\n| lookup windows_suspicious_tasks task_command as\ + \ Command \n| where tool == \"shell command use\" OR tool == \"suspicious paths\"\ + \n| eval command=TaskName, process=Command+if(isnotnull(Arguments),\" \".Arguments,\"\ + \"), src_user=Author, user = Caller_User_Name, dest = Computer, signature_id = EventCode\ + \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ + | `windows_scheduled_task_with_suspicious_command_filter` " +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also + required. +known_false_positives: False positives are possible if legitimate applications are + allowed to register tasks that call a shell to be spawned. Filter as needed based + on command-line or processes that are used legitimately. Windows Defender, Google + Chrome, and MS Edge updates may trigger this detection. references: - https://attack.mitre.org/techniques/T1053/005/ - https://www.ic3.gov/CSA/2023/231213.pdf @@ -34,36 +45,44 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: Investigate schedule tasks on $dest$ - search: '`wineventlog_security` EventCode IN (4698,4700,4702) Computer="$dest$" Caller_User_Name="$user$"' +- name: Investigate schedule tasks on $dest$ + search: '`wineventlog_security` EventCode IN (4698,4700,4702) Computer="$dest$" + Caller_User_Name="$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A suspicious windows scheduled task named [$TaskName$] was detected on $dest$, this may be an indicator of [$tool$] - risk_objects: + message: A suspicious windows scheduled task named [$TaskName$] was detected on + $dest$, this may be an indicator of [$tool$] + risk_objects: - field: dest type: system score: 70 - field: user type: user score: 70 - threat_objects: + threat_objects: - field: Command type: signature tags: - analytic_story: + analytic_story: - Scheduled Tasks - - Windows Persistence Techniques - Ransomware + - Quasar RAT - Ryuk Ransomware + - Windows Persistence Techniques - Seashell Blizzard asset_type: Endpoint - mitre_attack_id: + mitre_attack_id: - T1053.005 - product: + product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 7a0651069a..cbd23e8f50 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 13 -date: '2025-05-26' +version: 14 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -75,46 +75,47 @@ rba: tags: analytic_story: - PlugX - - BlackByte Ransomware - - Rhysida Ransomware - - ValleyRAT - - Malicious Inno Setup Loader - - Double Zero Destructor - - Remcos - - Handala Wiper - - Trickbot + - Water Gamayun + - Warzone RAT + - Swift Slicer + - Data Destruction + - AgentTesla + - LockBit Ransomware + - Volt Typhoon + - Brute Ratel C4 + - WhisperGate + - Industroyer2 - DarkGate Malware - - China-Nexus Threat Activity - - Prestige Ransomware - - Amadey - - Phemedrone Stealer - - Earth Alux - - Azorult + - ValleyRAT - XMRig + - Chaos Ransomware + - Hermetic Wiper + - Remcos + - Quasar RAT + - Rhysida Ransomware + - DarkCrystal RAT - Qakbot + - China-Nexus Threat Activity - XWorm - - Chaos Ransomware - IcedID - - Graceful Wipe Out Attack - - Meduza Stealer - - LockBit Ransomware - - Volt Typhoon - - Data Destruction + - CISA AA23-347A + - Azorult + - Handala Wiper - Salt Typhoon - - Brute Ratel C4 - - WhisperGate - - Water Gamayun - - AgentTesla - - Swift Slicer + - Earth Alux + - Double Zero Destructor + - Trickbot + - Malicious Inno Setup Loader + - BlackByte Ransomware - SystemBC + - Phemedrone Stealer + - Graceful Wipe Out Attack + - Prestige Ransomware + - Amadey - AsyncRAT - - CISA AA23-347A - - Hermetic Wiper - RedLine Stealer - - DarkCrystal RAT - - Warzone RAT - SnappyBee - - Industroyer2 + - Meduza Stealer - MoonPeak asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 1ba3ae54c2..361ca107e3 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: '7' -date: '2025-05-06' +version: '8' +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,10 +65,11 @@ rba: threat_objects: [] tags: analytic_story: - - NjRAT - XWorm - - DarkCrystal RAT - DarkGate Malware + - NjRAT + - Quasar RAT + - DarkCrystal RAT - MoonPeak asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index d23d2e830a..f1c4abfe2d 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: '8' -date: '2025-05-06' +version: 9 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -64,11 +64,12 @@ rba: threat_objects: [] tags: analytic_story: - - Sandworm Tools - - NjRAT - XWorm - - DarkCrystal RAT - DarkGate Malware + - NjRAT + - Quasar RAT + - Sandworm Tools + - DarkCrystal RAT - MoonPeak asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml new file mode 100644 index 0000000000..cff3f41b4d --- /dev/null +++ b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml @@ -0,0 +1,72 @@ +name: Windows Unusual FileZilla XML Config Access +id: 47dc0426-cbe4-4253-8b86-1a983c3f9951 +version: 1 +date: '2025-07-16' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic identifies processes accessing FileZilla XML config files + such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event + logs, specifically monitoring EventCode 4663, which tracks object access events. + This activity is significant because it can indicate unauthorized access or manipulation + of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed + malicious, this could lead to data exfiltration, credential theft, or further compromise + of the system. +data_source: +- Windows Event Log Security 4663 +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\FileZilla FTP Client\\filezilla.exe", "C:\Program Files (x86)\\FileZilla FTP Client\\filezilla.exe", "C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe")) + file_path IN ("*FileZilla\\recentservers.xml*", "*FileZilla\\sitemanager.xml*") + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType + ProcessName AccessMask process_id EventCode Computer Caller_User_Name + | rename Computer as dest Caller_User_Name as user ProcessName as process_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_unusual_filezilla_xml_config_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: a third party application can access the FileZilla XML config files. + Filter is needed. +references: +- https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a non filezilla process $process_name$ with $process_id$ accessed + FileZilla XML config files on host $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Quasar RAT + asset_type: Endpoint + mitre_attack_id: + - T1552.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/file_xml_config/filezilla_obj.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml new file mode 100644 index 0000000000..058e587c93 --- /dev/null +++ b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml @@ -0,0 +1,71 @@ +name: Windows Unusual Intelliform Storage Registry Access +id: 99d69078-7dae-4ffe-9f3d-063242772f5a +version: 1 +date: '2025-07-16' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic identifies processes accessing Intelliform Storage Registry keys + used by Internet Explorer. It leverages Windows Security Event logs, specifically + monitoring EventCode 4663, which tracks object access events. This activity is significant + because it can indicate unauthorized access or manipulation of sensitive registry + keys used for storing form data in Internet Explorer. If confirmed malicious, this + could lead to data exfiltration, credential theft, or further compromise of the system. +data_source: +- Windows Event Log Security 4663 +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\Internet Explorer\\iexplore.exe", "C:\\Windows\\System32\\dllhost.exe", "C:\\Windows\\SysWow64\\dllhost.exe")) + ObjectName IN ("*Software\\microsoft\\Internet Explorer\\Intelliforms\\storage2*") + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType + ProcessName AccessMask process_id EventCode Computer Caller_User_Name + | rename Computer as dest Caller_User_Name as user ProcessName as process_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_unusual_intelliform_storage_registry_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security + Event logs and track event code 4663. For 4663, enable "Audit Object Access" in + Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: a third party application can access the FileZilla XML config files. + Filter is needed. +references: +- https://stackoverflow.com/questions/1276700/where-does-internet-explorer-stores-its-form-data-history-that-is-uses-for-auto +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a non Internet Explorer process $process_name$ with $process_id$ accessed + Intelliform Storage Registry keys on host $dest$ + risk_objects: + - field: dest + type: system + score: 35 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Quasar RAT + asset_type: Endpoint + mitre_attack_id: + - T1552.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/ie_intelliform_storage/storage2_sim.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml new file mode 100644 index 0000000000..06785d1842 --- /dev/null +++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml @@ -0,0 +1,73 @@ +name: Windows Unusual Process Load Mozilla NSS-Mozglue Module +id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd +version: 1 +date: '2025-07-16' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic identifies processes loading Mozilla NSS-Mozglue libraries + such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring + EventCode 7, which tracks image loaded events. This activity is significant because + it can indicate unauthorized access or manipulation of these libraries, which are + commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, + this could lead to data exfiltration, credential theft, or further compromise of the system. +data_source: +- Sysmon EventID 7 +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\mozglue.dll", "*\\nss3.dll") + NOT(process_path IN("*:\\Program Files\Mozilla Firefox\\firefox.exe", "*:\\Program Files (x86)\Mozilla Firefox\\firefox.exe", "*:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files (x86)\\Mozilla Thunderbird\\thunderbird.exe", "*\\Tor Browser\\Browser\\firefox.exe","*:\\Program Files\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files (x86)\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files\\Pale Moon\\palemoon.exe", "*:\\Program Files (x86)\\Pale Moon\\palemoon.exe", "*:\\Program Files\\Waterfox\\waterfox.exe","*:\\Program Files (x86)\\Waterfox\\waterfox.exe", "*:\\Program Files\\Cyberfox\cyberfox.exe", "*:\\Program Files (x86)\\Cyberfox\\cyberfox.exe", "*\\AppData\\Local\\slack\\slack.exe", "*:\\Program Files (x86)\\VMware\\VMware Horizon View Client\\vmware-view.exe", "*:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", "*:\\Program Files\\Google\\Google Earth Pro\\client\\googleearth.exe")) + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded dest loaded_file loaded_file_path original_file_name + process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists + service_dll_signature_verified signature signature_id user_id vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_unusual_process_load_mozilla_nss_mozglue_module_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Legitimate windows application that are not on the list loading + this dll. Filter as needed. +references: +- https://www.trendmicro.com/vinfo/nz/threat-encyclopedia/malware/trojanspy.win32.vidar.yxdftz +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a non Firefox or Thunderbird process $process_name$ with $process_id$ loaded + the Mozilla NSS-Mozglue libraries on host $dest$. + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Quasar RAT + asset_type: Endpoint + mitre_attack_id: + - T1218.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.003/moz_lib_loaded/mozilla_lib.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 5a7df8bf54..de6c079f0e 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,7 +1,7 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: '8' -date: '2025-05-06' +version: 9 +date: '2025-07-16' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -60,9 +60,10 @@ rba: tags: analytic_story: - XWorm + - Chaos Ransomware - NjRAT + - Quasar RAT - Snake Keylogger - - Chaos Ransomware asset_type: Endpoint mitre_attack_id: - T1204.002 diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 9de0e10c8a..49a47cf180 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 16 -date: '2025-05-26' +version: 17 +date: '2025-07-16' author: Michael Haag, Splunk status: production type: TTP @@ -54,26 +54,27 @@ rba: threat_objects: [] tags: analytic_story: - - Windows Persistence Techniques + - Data Destruction - Winter Vivern - - Ryuk Ransomware - - Medusa Ransomware - - Malicious Inno Setup Loader + - Industroyer2 - Compromised Windows Host + - Quasar RAT - China-Nexus Threat Activity - - Prestige Ransomware - XWorm - Ransomware - - Active Directory Lateral Movement - IcedID - - Data Destruction + - CISA AA23-347A - Salt Typhoon - - Industroyer2 + - Ryuk Ransomware + - Active Directory Lateral Movement + - Malicious Inno Setup Loader - CISA AA22-257A + - Medusa Ransomware - SystemBC - - AsyncRAT - - CISA AA23-347A - Scheduled Tasks + - Prestige Ransomware + - AsyncRAT + - Windows Persistence Techniques asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml index 6a70f4544a..f0f5b88268 100644 --- a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Wermgr Process Connecting To IP Check Web Services id: ed313326-a0f9-11eb-a89c-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-07-16' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index a0e13dcfea..c3630963a6 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,10 +1,10 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 12 -date: '2025-05-02' +version: 13 +date: '2025-07-16' author: Teoderick Contreras, Splunk status: production -type: Hunting +type: Anomaly description: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and "ipinfo.io". @@ -18,7 +18,9 @@ search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "* "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", - "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime + "*geoip.*", "*icanhazip.*", "*ipwho.is*", "*ifconfig.me*", "*myip.com*", "*ipstack.com*", "*myexternalip.com*", + "*ip-api.io*", "*trackip.net*", "*ipgeolocation.io*", "*ipfind.io*", "*freegeoip.app*", "*ipv4bot.whatismyipaddress.com*") + | stats min(_time) as firstTime max(_time) as lastTime count by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -31,6 +33,29 @@ known_false_positives: Filter internet browser application to minimize the false of this detection. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a network connection on known abused web services from $dvc$ + risk_objects: + - field: dvc + type: system + score: 36 + threat_objects: + - field: process_name + type: process_name tags: analytic_story: - Azorult @@ -41,6 +66,7 @@ tags: - PXA Stealer - Meduza Stealer - Water Gamayun + - Quasar RAT asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/lookups/browser_app_list.csv b/lookups/browser_app_list.csv index 03f7eb96a8..55a263c2bd 100644 --- a/lookups/browser_app_list.csv +++ b/lookups/browser_app_list.csv @@ -37,6 +37,7 @@ browser_process_name,browser_object_path,isAllowed "*KometaBrowser.exe","*Kometa\User Data\Default\Login Data*", true "*XpomBrowser.exe","*Xpom\User Data\Default\Login Data*", true "*msedge.exe","*Microsoft\Edge\User Data\Default\Login Data*", true +"*msedge.exe","*Microsoft\Edge\User Data\Local State*", true "*LiebaoBrowser.exe","*Liebao7\User Data\Default\EncryptedStorage*", true "*AvastBrowser.exe","*AVAST Software\Browser\User Data\Default\Login Data*", true "*Kinza.exe","*Kinza\User Data\Default\Login Data*", true @@ -44,4 +45,8 @@ browser_process_name,browser_object_path,isAllowed "*icedragon.exe","*Comodo\IceDragon\Profiles\logins.json*", true "*cyberfox.exe","*8pecxstudios\Cyberfox\Profiles\logins.json*", true "*SlimBrowser.exe","*FlashPeak\SlimBrowser\Profiles\logins.json*", true -"*palemoon.exe","*Moonchild Productions\Pale Moon\Profiles\logins.json*", true \ No newline at end of file +"*palemoon.exe","*Moonchild Productions\Pale Moon\Profiles\logins.json*", true +"*opera.exe","*Opera Software\Opera GX Stable\Login Data*", true +"*opera.exe","*Opera Software\Opera GX Stable\Local State*", true +"*yandex.exe","*Yandex\YandexBrowser\User Data\Default\Ya Passman Data*", true +"*yandex.exe","*Yandex\YandexBrowser\User Data\Local State*", true \ No newline at end of file diff --git a/lookups/browser_app_list.yml b/lookups/browser_app_list.yml index 850f4b38c1..6e94375d39 100644 --- a/lookups/browser_app_list.yml +++ b/lookups/browser_app_list.yml @@ -1,6 +1,6 @@ name: browser_app_list -date: 2024-12-23 -version: 2 +date: 2025-07-17 +version: 3 id: a80ccd19-e46f-4a12-9ad7-e653ad646347 author: Splunk Threat Research Team lookup_type: csv diff --git a/stories/quasar_rat.yml b/stories/quasar_rat.yml new file mode 100644 index 0000000000..f7cda50da4 --- /dev/null +++ b/stories/quasar_rat.yml @@ -0,0 +1,19 @@ +name: Quasar RAT +id: 0e75c517-fe19-491a-859d-f8b7494a8aa2 +version: 1 +date: '2025-07-16' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that help you detect and investigate unusual activities potentially associated with Quasar RAT. These includes processes accessing FileZilla XML configuration files (which may store FTP credentials for exfiltration), loading Mozilla NSS and Mozglue libraries (often targeted for DLL side-loading attacks to evade detection), steal credential via browsers and accessing Intelliform Storage Registry keys used by Internet Explorer (which can contain saved credentials and autocomplete data valuable for credential theft). +narrative: Quasar RAT is an open-source remote access Trojan (RAT) written in .NET, widely used by both cybercriminals and advanced threat actors for espionage, credential theft, and lateral movement. First appearing around 2014, Quasar offers a rich feature set including remote desktop control, file management, keylogging, and password dumping. Its open-source nature makes it easy for attackers to customize and rebrand, complicating attribution efforts. Quasar is often delivered through phishing emails, malicious attachments, or cracked software, establishing persistence via registry keys or scheduled tasks. Once installed, it communicates with command-and-control servers over configurable ports, often using encrypted channels to evade network detection. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat + - https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection