splunk · patel-bhavin · Jul 21, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
@@ -1,16 +1,16 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-07-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 description: The following analytic detects the execution of the chcp.com utility,
   which is used to change the active code page of the console. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process creation
-  events. This activity is significant because it can indicate the presence of malware, such
-  as IcedID, which uses this technique to determine the locale region, language, or
-  country of the compromised host. If confirmed malicious, this could lead to further
+  events. This activity is significant because it can indicate the presence of malware,
+  such as IcedID, which uses this technique to determine the locale region, language,
+  or country of the compromised host. If confirmed malicious, this could lead to further
   system compromise and data exfiltration.
 data_source:
 - Sysmon EventID 1
@@ -33,7 +33,8 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: other tools or script may used this to change code page to UTF-* or others
+known_false_positives: other tools or script may used this to change code page to
+  UTF-* or others
 references:
 - https://ss64.com/nt/chcp.html
 - https://twitter.com/tccontre18/status/1419941156633329665?s=20
@@ -64,10 +65,11 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - IcedID
   - Azorult
-  - Forest Blizzard
   - Crypto Stealer
-  - IcedID
+  - Quasar RAT
+  - Forest Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1059

@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 12
-date: '2025-05-26'
+version: 13
+date: '2025-07-16'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -42,27 +42,28 @@ references:
 tags:
   analytic_story:
   - PlugX
+  - Warzone RAT
+  - Data Destruction
   - Winter Vivern
-  - Rhysida Ransomware
-  - Malicious Inno Setup Loader
-  - DarkGate Malware
+  - WhisperGate
   - ProxyNotShell
-  - Log4Shell CVE-2021-44228
-  - Azorult
-  - Living Off The Land
-  - Qakbot
+  - DarkGate Malware
   - Chaos Ransomware
+  - Hermetic Wiper
+  - Quasar RAT
+  - Rhysida Ransomware
+  - DarkCrystal RAT
+  - Qakbot
   - IcedID
-  - Data Destruction
+  - CISA AA23-347A
+  - Azorult
+  - Living Off The Land
   - Crypto Stealer
-  - WhisperGate
+  - Malicious Inno Setup Loader
   - NjRAT
   - AsyncRAT
-  - CISA AA23-347A
-  - Hermetic Wiper
   - RedLine Stealer
-  - DarkCrystal RAT
-  - Warzone RAT
+  - Log4Shell CVE-2021-44228
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 16
-date: '2025-05-06'
+version: 17
+date: '2025-07-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -18,10 +18,10 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
-  "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
-  "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
-  "*\\Windows\\repair\\*", "*\\PerfLogs\\*")
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN
+  ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*",
+  "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*",
+  "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*")
   by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
   Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
@@ -63,50 +63,51 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - AcidPour
+  - PlugX
+  - Warzone RAT
+  - Swift Slicer
+  - Data Destruction
   - AgentTesla
-  - Amadey
-  - AsyncRAT
-  - Azorult
-  - BlackByte Ransomware
+  - LockBit Ransomware
+  - Volt Typhoon
   - Brute Ratel C4
-  - Cactus Ransomware
+  - Industroyer2
+  - WhisperGate
+  - DarkGate Malware
   - Chaos Ransomware
+  - ValleyRAT
+  - XMRig
+  - Hermetic Wiper
+  - Remcos
+  - Quasar RAT
+  - Rhysida Ransomware
+  - DarkCrystal RAT
+  - Qakbot
+  - Snake Keylogger
   - China-Nexus Threat Activity
-  - Crypto Stealer
+  - IcedID
   - CISA AA23-347A
-  - DarkCrystal RAT
-  - DarkGate Malware
-  - Data Destruction
-  - Derusbi
-  - Double Zero Destructor
-  - Graceful Wipe Out Attack
+  - Azorult
   - Handala Wiper
-  - Hermetic Wiper
-  - IcedID
-  - Industroyer2
-  - LockBit Ransomware
-  - Meduza Stealer
-  - MoonPeak
+  - Crypto Stealer
+  - Salt Typhoon
+  - Earth Alux
+  - Double Zero Destructor
+  - Trickbot
+  - Cactus Ransomware
+  - BlackByte Ransomware
+  - SystemBC
+  - AcidPour
   - NjRAT
-  - PlugX
-  - Qakbot
+  - Graceful Wipe Out Attack
+  - Amadey
+  - Derusbi
+  - AsyncRAT
   - RedLine Stealer
-  - Remcos
-  - Rhysida Ransomware
-  - Salt Typhoon
   - SnappyBee
-  - Snake Keylogger
-  - Swift Slicer
-  - SystemBC
-  - Trickbot
-  - ValleyRAT
-  - Volt Typhoon
-  - Warzone RAT
-  - WhisperGate
+  - Meduza Stealer
   - WinDealer RAT
-  - XMRig
-  - Earth Alux
+  - MoonPeak
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 11
-date: '2025-05-25'
+version: 12
+date: '2025-07-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -15,12 +15,11 @@ description: The following analytic detects a non-Chrome process accessing files
   and further compromise of the affected system.
 data_source:
 - Windows Event Log Security 4663
-search: '`wineventlog_security` EventCode=4663 
-  NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User Data\\Default*"
-  | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)`
-  | `non_chrome_process_accessing_chrome_default_dir_filter`'
+search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe",
+  "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User
+  Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by
+  ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`'
 how_to_implement: To successfully implement this search, you must ingest Windows Security
   Event logs and track event code 4663. For 4663, enable "Audit Object Access" in
   Group Policy. Then check the two boxes listed for both "Success" and "Failure."
@@ -50,21 +49,22 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - AgentTesla
-  - Snake Keylogger
   - CISA AA23-347A
-  - China-Nexus Threat Activity
-  - Remcos
-  - FIN7
   - Phemedrone Stealer
-  - SnappyBee
-  - RedLine Stealer
-  - Warzone RAT
-  - Salt Typhoon
-  - 3CX Supply Chain Attack
   - DarkGate Malware
   - NjRAT
   - Malicious Inno Setup Loader
+  - Salt Typhoon
+  - Remcos
+  - Warzone RAT
+  - Quasar RAT
+  - 3CX Supply Chain Attack
+  - AgentTesla
+  - FIN7
+  - SnappyBee
+  - RedLine Stealer
+  - Snake Keylogger
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: '10'
-date: '2025-05-26'
+version: 11
+date: '2025-07-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -48,22 +48,23 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - NjRAT
-  - Snake Keylogger
-  - AgentTesla
   - DarkGate Malware
-  - China-Nexus Threat Activity
-  - 3CX Supply Chain Attack
-  - Malicious Inno Setup Loader
   - CISA AA23-347A
+  - NjRAT
   - Phemedrone Stealer
   - Azorult
-  - Remcos
-  - RedLine Stealer
   - Salt Typhoon
+  - Remcos
   - Warzone RAT
+  - Quasar RAT
+  - 3CX Supply Chain Attack
+  - AgentTesla
+  - RedLine Stealer
   - SnappyBee
+  - Malicious Inno Setup Loader
   - FIN7
+  - Snake Keylogger
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003

@@ -1,19 +1,28 @@
 name: Ping Sleep Batch Command
 id: ce058d6c-79f2-11ec-b476-acde48001122
-version: 10
-date: '2025-05-19'
+version: 11
+date: '2025-07-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: |
-  The following analytic identifies the execution of ping sleep batch commands.
+description: 'The following analytic identifies the execution of ping sleep batch
+  commands.
+
   It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
+
   process and parent process command-line details. This activity is significant as
+
   it indicates an attempt to delay malicious code execution, potentially evading detection
+
   or sandbox analysis. If confirmed malicious, this technique allows attackers to
+
   bypass security measures, making it harder to detect and analyze their activities,
+
   thereby increasing the risk of prolonged unauthorized access and potential data
+
   exfiltration.
+
+  '
 data_source:
 - Sysmon EventID 1
 - CrowdStrike ProcessRollup2
@@ -79,11 +88,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - Warzone RAT
+  - Quasar RAT
   - Data Destruction
+  - Meduza Stealer
   - WhisperGate
   - BlackByte Ransomware
-  - Warzone RAT
-  - Meduza Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1497.003