From ab8b13c40215f478f311cdcb4d973a2b61b8edc5 Mon Sep 17 00:00:00 2001 From: tccontre Date: Fri, 13 Dec 2024 12:28:31 +0100 Subject: [PATCH 01/13] crypto_campaign --- ...ccount_access_removal_via_quser_logoff.yml | 66 ++++++++++++++++ ...cated_files_or_information_via_rar_sfx.yml | 68 +++++++++++++++++ ...indows_remote_management_execute_shell.yml | 75 +++++++++++++++++++ 3 files changed, 209 insertions(+) create mode 100644 detections/endpoint/windows_account_access_removal_via_quser_logoff.yml create mode 100644 detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml create mode 100644 detections/endpoint/windows_remote_management_execute_shell.yml diff --git a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml new file mode 100644 index 0000000000..f942569055 --- /dev/null +++ b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml @@ -0,0 +1,66 @@ +name: 'Windows Account Access Removal via Quser LogOff' +id: 6d70780d-4cfe-4820-bafd-1b43941986b5 +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_sources: +- Powershell Script Block Logging 4104 +type: TTP +status: production +description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. +kind: endpoint +search: '`powershell` EventCode=4104 ScriptBlockText = "*quser*" ScriptBlockText = "*logoff*" + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText UserID Computer + | rename Computer as dest, UserID as user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_account_access_removal_via_quser_logoff_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command. +references: +- https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - UPDATE_STORY_NAME + asset_type: Endpoint + confidence: 70 + impact: 70 + message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$]. + mitre_attack_id: + - T1531 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - dest + - user + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml new file mode 100644 index 0000000000..9852179d8a --- /dev/null +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -0,0 +1,68 @@ +name: Windows Obfuscated Files or Information via RAR SFX +id: 4ab6862b-ce88-4223-96c0-f6da2cffb898 +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 11 +type: TTP +status: production +description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. +kind: endpoint +search: '`sysmon` EventCode=11 Image="*.exe" TargetFilename IN ("*__tmp_rar_sfx_access_check*") + | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer + | rename Computer as dest + | rename TargetFilename as file_name + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_obfuscated_files_or_information_via_rar_sfx_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, TargetFilename, and eventcode 11 executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where rar sfx executable may be used. +known_false_positives: It can detect a third part utility software tool compiled to rar sfx. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - UPDATE_STORY_NAME + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A process commandline- [$Image$] that drops [$file_name$] on [$dest$]. + mitre_attack_id: + - T1027.013 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: file_name + type: File Name + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - process_name + - file_name + - process_guid + - dest + - user_id + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml new file mode 100644 index 0000000000..2fcb2a13fe --- /dev/null +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -0,0 +1,75 @@ +name: Windows Remote Management Execute Shell +id: 28b80028-851d-4b8d-88a5-375ba115418a +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Anomaly +status: production +description: The following analytic detects the execution of winrshost.exe initiating CMD or PowerShell processes as part of a potential payload execution. winrshost.exe is associated with Windows Remote Management (WinRM) and is typically used for remote execution. By monitoring for this behavior, the detection identifies instances where winrshost.exe is leveraged to run potentially malicious commands or payloads via CMD or PowerShell. This behavior may indicate exploitation of remote management tools for unauthorized access or lateral movement within a compromised environment, signaling a potential security incident. +kind: endpoint +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.parent_process_name="winrshost.exe" AND Processes.process_name IN ("cmd.exe","*powershell*") + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_remote_management_execute_shell_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: administrator or power user can execute command shell or script remotely using WINRM. +references: +- https://strontic.github.io/xcyclopedia/library/winrshost.exe-6790044CEB4BA5BE6AA8161460D990FD.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - UPDATE_STORY_NAME + asset_type: Endpoint + confidence: 30 + impact: 30 + message: a winrm remote proces [$parent_process_name$] execute [$process_name$] shell on [$dest$]. + mitre_attack_id: + - T1021.006 + observable: + - name: dest + type: Endpoint + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 9 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://github.com/splunk/contentctl/wiki + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog From 6fc84d916acf38cda009144cc1a3adc2317b723f Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Dec 2024 11:33:34 +0100 Subject: [PATCH 02/13] crypto_campaign --- .../add_or_set_windows_defender_exclusion.yml | 15 +-- .../endpoint/any_powershell_downloadfile.yml | 56 ++++++++--- .../attempt_to_stop_security_service.yml | 55 ++++++++--- .../endpoint/chcp_command_execution.yml | 47 +++++++-- ...cmd_carry_out_string_command_parameter.yml | 64 ++++++++---- ...password_spray_attack_behavior_on_user.yml | 45 +++++++-- .../endpoint/detect_rare_executables.yml | 43 ++++++-- .../download_files_using_telegram.yml | 36 +++++-- .../excessive_service_stop_attempt.yml | 45 +++++++-- .../endpoint/excessive_usage_of_cacls_app.yml | 46 +++++++-- .../excessive_usage_of_sc_service_utility.yml | 38 +++++-- .../endpoint/excessive_usage_of_taskkill.yml | 45 +++++++-- ..._or_script_creation_in_suspicious_path.yml | 99 +++++++++++-------- ..._files_and_directories_with_attrib_exe.yml | 7 +- .../high_process_termination_frequency.yml | 38 +++++-- detections/endpoint/icacls_deny_command.yml | 7 +- detections/endpoint/icacls_grant_command.yml | 51 +++++++--- ...s_powershell_process___encoded_command.yml | 47 ++++++--- ...dify_acl_permission_to_files_or_folder.yml | 40 ++++++-- ...mission_modification_using_takeown_app.yml | 46 +++++++-- .../sc_exe_manipulating_windows_services.yml | 55 ++++++++--- .../endpoint/suspicious_process_file_path.yml | 96 +++++++++++------- ...s_scheduled_task_from_public_directory.yml | 58 ++++++++--- ...ccount_access_removal_via_quser_logoff.yml | 2 +- .../endpoint/windows_autoit3_execution.yml | 46 +++++++-- ..._autostart_execution_in_startup_folder.yml | 36 +++++-- ...s_disable_or_modify_tools_via_taskkill.yml | 44 +++++++-- ...cated_files_or_information_via_rar_sfx.yml | 2 +- ...indows_remote_management_execute_shell.yml | 2 +- .../windows_screen_capture_in_temp_folder.yml | 32 ++++-- ...e_created_with_suspicious_service_path.yml | 47 ++++++--- ..._service_creation_using_registry_entry.yml | 35 ++++--- .../windows_service_deletion_in_registry.yml | 40 ++++++-- .../windows_service_stop_by_deletion.yml | 45 +++++++-- ...rvice_stop_via_net__and_sc_application.yml | 41 ++++++-- .../endpoint/windows_system_file_on_disk.yml | 28 ++++-- ...indows_system_user_discovery_via_quser.yml | 37 +++++-- detections/endpoint/xmrig_driver_loaded.yml | 32 ++++-- stories/crypto_stealer.yml | 17 ++++ 39 files changed, 1185 insertions(+), 380 deletions(-) create mode 100644 stories/crypto_stealer.yml diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 38269fe035..4f89eb2be5 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: '5' -date: '2024-11-28' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP @@ -55,14 +55,15 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - WhisperGate - - Windows Defense Evasion Tactics + - CISA AA22-320A + - AgentTesla - Remcos - Data Destruction - - CISA AA22-320A - - ValleyRAT - Compromised Windows Host - - AgentTesla + - ValleyRAT + - Windows Defense Evasion Tactics + - WhisperGate + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 728aa2b257..c39831de5a 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,18 +1,40 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 7 -date: '2024-09-30' +version: '8' +date: '2024-12-17' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context. +description: The following analytic detects the use of PowerShell's `DownloadFile` + method to download files. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. This activity is significant as + it is commonly used in malicious frameworks to download and execute additional payloads. + If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, + or further compromise of the system. Analysts should investigate the source and + destination of the download and review AMSI or PowerShell transaction logs for additional + context. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present and filtering will need to occur + by parent process or command line argument. It may be required to modify this query + to an EDR product for more granular coverage. references: - https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ @@ -23,26 +45,34 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - DarkCrystal RAT - - Ingress Tool Transfer - Hermetic Wiper - - Malicious PowerShell - - Data Destruction - Log4Shell CVE-2021-44228 - Phemedrone Stealer - - Braodo Stealer + - Data Destruction - PXA Stealer + - Ingress Tool Transfer + - Malicious PowerShell + - DarkCrystal RAT + - Crypto Stealer + - Braodo Stealer asset_type: Endpoint confidence: 70 cve: - CVE-2021-44228 impact: 80 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile + within PowerShell. mitre_attack_id: - T1059 - T1059.001 diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml index a84ecb6ecc..3f924af863 100644 --- a/detections/endpoint/attempt_to_stop_security_service.yml +++ b/detections/endpoint/attempt_to_stop_security_service.yml @@ -1,18 +1,42 @@ name: Attempt To Stop Security Service id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 -version: 7 -date: '2024-09-30' +version: '8' +date: '2024-12-17' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response. +description: The following analytic detects attempts to stop security-related services + on an endpoint, which may indicate malicious activity. It leverages data from Endpoint + Detection and Response (EDR) agents, specifically searching for processes involving + the "sc.exe" command with the "stop" parameter. This activity is significant because + disabling security services can undermine the organization's security posture, potentially + leading to unauthorized access, data exfiltration, or further attacks like malware + installation or privilege escalation. If confirmed malicious, this behavior could + compromise the endpoint and the entire network, necessitating immediate investigation + and response. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: None identified. Attempts to disable security-related services should be identified and understood. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop + *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` |lookup security_services_lookup service as + process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: None identified. Attempts to disable security-related services + should be identified and understood. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -22,21 +46,28 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - WhisperGate - - Graceful Wipe Out Attack - - Disabling Security Tools - - Data Destruction - Azorult + - Data Destruction + - Disabling Security Tools - Trickbot + - Graceful Wipe Out Attack + - WhisperGate + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 40 - message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + attempting to disable security services on endpoint $dest$ by user $user$. mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 2e3fc9984c..d5a4427eba 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,18 +1,40 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the execution of the chcp.exe application, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where chcp.exe is executed by cmd.exe with specific command-line arguments. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration. +description: The following analytic detects the execution of the chcp.exe application, + which is used to change the active code page of the console. This detection leverages + data from Endpoint Detection and Response (EDR) agents, focusing on process creation + events where chcp.exe is executed by cmd.exe with specific command-line arguments. + This activity is significant because it can indicate the presence of malware, such + as IcedID, which uses this technique to determine the locale region, language, or + country of the compromised host. If confirmed malicious, this could lead to further + system compromise and data exfiltration. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `chcp_command_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: other tools or script may used this to change code page to UTF-* or others +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com + Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*) + by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process + Processes.process_id Processes.parent_process_id Processes.dest Processes.user | + `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `chcp_command_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: other tools or script may used this to change code page to + UTF-* or others references: - https://ss64.com/nt/chcp.html - https://twitter.com/tccontre18/status/1419941156633329665?s=20 @@ -22,18 +44,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - IcedID - Azorult - Forest Blizzard + - Crypto Stealer + - IcedID asset_type: Endpoint confidence: 30 impact: 30 - message: parent process $parent_process_name$ spawning chcp process $process_name$ with parent command line $parent_process$ + message: parent process $parent_process_name$ spawning chcp process $process_name$ + with parent command line $parent_process$ mitre_attack_id: - T1059 observable: diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index f61bc4534d..05569333b5 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,50 +1,72 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 6 -date: '2024-10-17' +version: '7' +date: '2024-12-17' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting -description: The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment. +description: The following analytic detects the use of `cmd.exe /c` to execute commands, + a technique often employed by adversaries and malware to run batch commands or invoke + other shells like PowerShell. This detection leverages data from Endpoint Detection + and Response (EDR) agents, focusing on command-line executions and process metadata. + Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized + command execution. If confirmed malicious, this behavior could lead to unauthorized + code execution, privilege escalation, or persistence within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be high based on legitimate scripted code in any environment. Filter as needed. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* + /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be high based on legitimate scripted code + in any environment. Filter as needed. references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ tags: analytic_story: - - AsyncRAT - - Winter Vivern - - WhisperGate - - Living Off The Land + - Data Destruction - DarkGate Malware + - Chaos Ransomware + - Hermetic Wiper + - Warzone RAT + - Winter Vivern - ProxyNotShell - - Log4Shell CVE-2021-44228 + - IcedID + - Living Off The Land - NjRAT - - RedLine Stealer + - Log4Shell CVE-2021-44228 + - CISA AA23-347A + - AsyncRAT - Rhysida Ransomware - - IcedID - - Chaos Ransomware - - PlugX + - DarkCrystal RAT + - Crypto Stealer - Azorult - Qakbot - - Hermetic Wiper - - Warzone RAT - - DarkCrystal RAT - - CISA AA23-347A - - Data Destruction + - RedLine Stealer + - PlugX + - WhisperGate asset_type: Endpoint automated_detection_testing: passed confidence: 50 cve: - CVE-2021-44228 impact: 60 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting spawn a new process. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$ attempting spawn a new process. mitre_attack_id: - T1059.003 - T1059 diff --git a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml index a191014ffd..a8226968c8 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml @@ -1,16 +1,37 @@ name: Detect Password Spray Attack Behavior On User id: a7539705-7183-4a12-9b6a-b6eef645a6d7 -version: 2 -date: '2024-09-30' +version: '3' +date: '2024-12-17' author: Steven Dick status: production type: TTP -description: The following analytic identifies any user failing to authenticate from 10 or more unique sources. This behavior could represent an adversary performing a Password Spraying attack to obtain initial access or elevate privileges. This logic can be used for real time security monitoring as well as threat hunting exercises. Environments can be very different depending on the organization. Test and customize this detections thresholds as needed +description: The following analytic identifies any user failing to authenticate from + 10 or more unique sources. This behavior could represent an adversary performing + a Password Spraying attack to obtain initial access or elevate privileges. This + logic can be used for real time security monitoring as well as threat hunting exercises. + Environments can be very different depending on the organization. Test and customize + this detections thresholds as needed data_source: - Authentication Events (various) -search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), success=if(action="success",count,0), src=upper(src), success_src=if(action="success",src,null), failure=if(action="failure",count,0), failed_src=if(action="failure",src,null) | `detect_password_spray_attack_behavior_on_user_filter` | stats count min(firstTime) as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as src_category values(success_src) as src values(failed_src) as failed_src dc(success_src) as success_dc dc(failed_src) as failed_dc dc(src) as src_dc, sum(failure) as failure, sum(success) as success by user | fields - _time | where src_dc >= 10 AND .25 > (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' -how_to_implement: This detection requires ingesting authentication data to the appropriate accelerated datamodel. Recommend adjusting the search time window for this correlation to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs -known_false_positives: Domain controllers, authentication chokepoints, and vulnerability scanners. +search: '| tstats `security_content_summariesonly` max(_time) as lastTime, min(_time) + as firstTime, values(Authentication.user_category) as user_category values(Authentication.src_category) + as src_category values(Authentication.app) as app count from datamodel=Authentication.Authentication + where * by Authentication.action,Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")` + | eval user=case((match(upper(user),"[a-zA-Z0-9]{3}")),upper(user),true(),null), + success=if(action="success",count,0), src=upper(src), success_src=if(action="success",src,null), + failure=if(action="failure",count,0), failed_src=if(action="failure",src,null) | + `detect_password_spray_attack_behavior_on_user_filter` | stats count min(firstTime) + as firstTime max(lastTime) as lastTime values(app) as app values(src_category) as + src_category values(success_src) as src values(failed_src) as failed_src dc(success_src) + as success_dc dc(failed_src) as failed_dc dc(src) as src_dc, sum(failure) as failure, + sum(success) as success by user | fields - _time | where src_dc >= 10 AND .25 > + (success/failure) AND failed_dc > success_dc | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' +how_to_implement: This detection requires ingesting authentication data to the appropriate + accelerated datamodel. Recommend adjusting the search time window for this correlation + to match the number of unique users (user_dc) in hours. i.e. 10 users over 10hrs +known_false_positives: Domain controllers, authentication chokepoints, and vulnerability + scanners. references: - https://attack.mitre.org/techniques/T1110/003/ - https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ @@ -21,16 +42,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Compromised User Account + - Crypto Stealer asset_type: Account confidence: 75 impact: 80 - message: A total of $src_dc$ distinct sources attempted to access the account [$user$], $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected. + message: A total of $src_dc$ distinct sources attempted to access the account [$user$], + $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins + detected. mitre_attack_id: - T1110.003 - T1110 diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index 8c752373bf..547df9f00b 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -1,18 +1,38 @@ name: Detect Rare Executables id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac -version: 6 -date: '2024-09-30' +version: '7' +date: '2024-12-17' author: Bhavin Patel, Splunk status: production type: Anomaly -description: The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact. +description: The following analytic detects the execution of rare processes that appear + only once across the network within a specified timeframe. It leverages data from + Endpoint Detection and Response (EDR) agents, focusing on process execution logs. + This activity is significant for a SOC as it helps identify potentially malicious + activities or unauthorized software, which could indicate a security breach or ongoing + attack. If confirmed malicious, such rare processes could lead to data theft, privilege + escalation, or complete system compromise, making early detection crucial for minimizing + impact. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Some legitimate processes may be only rarely executed in your environment. +search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) + as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` + | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_rare_executables_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Some legitimate processes may be only rarely executed in your + environment. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -20,17 +40,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Unusual Processes - Rhysida Ransomware + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 50 - message: A rare process - [$process_name$] has been detected on less than 10 hosts in your environment. + message: A rare process - [$process_name$] has been detected on less than 10 hosts + in your environment. mitre_attack_id: - T1204 observable: diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 32643a7bbd..279deb8cd0 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -1,16 +1,30 @@ name: Download Files Using Telegram id: 58194e28-ae5e-11eb-8912-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network. +description: The following analytic detects suspicious file downloads by the Telegram + application on a Windows system. It leverages Sysmon EventCode 15 to identify instances + where Telegram.exe creates files with a Zone.Identifier, indicating a download. + This activity is significant as it may indicate an adversary using Telegram to download + malicious tools, such as network scanners, for further exploitation. If confirmed + malicious, this behavior could lead to network mapping, lateral movement, and potential + compromise of additional systems within the network. data_source: - Sysmon EventID 15 -search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: normal download of file in telegram app. (if it was a common app in network) +search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" + |stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode process_name + process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `download_files_using_telegram_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and TargetFilename from your endpoints or Events that + monitor filestream events which is happened when process download something. (EventCode + 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon + TA. +known_false_positives: normal download of file in telegram app. (if it was a common + app in network) references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: @@ -19,14 +33,20 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - Phemedrone Stealer + - Crypto Stealer - Snake Keylogger + - XMRig asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml index 90dcb51e91..d8a67122f8 100644 --- a/detections/endpoint/excessive_service_stop_attempt.yml +++ b/detections/endpoint/excessive_service_stop_attempt.yml @@ -1,17 +1,39 @@ name: Excessive Service Stop Attempt id: ae8d3f4a-acd7-11eb-8846-acde48001122 -version: 5 -date: '2024-09-30' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects multiple attempts to stop or delete services on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and command-line executions within a one-minute window. This activity is significant as it may indicate an adversary attempting to disable security or critical services to evade detection and further their objectives. If confirmed malicious, this could lead to the attacker gaining persistence, escalating privileges, or disrupting essential services, thereby compromising the system's security posture. +description: The following analytic detects multiple attempts to stop or delete services + on a system using `net.exe`, `sc.exe`, or `net1.exe`. It leverages Endpoint Detection + and Response (EDR) telemetry, focusing on process names and command-line executions + within a one-minute window. This activity is significant as it may indicate an adversary + attempting to disable security or critical services to evade detection and further + their objectives. If confirmed malicious, this could lead to the attacker gaining + persistence, escalating privileges, or disrupting essential services, thereby compromising + the system's security posture. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name + = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" + OR Processes.process="*delete*" by Processes.process_name Processes.original_file_name + Processes.parent_process_name Processes.dest Processes.user _time span=1m | where + count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: unknown references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,18 +43,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - Ransomware - BlackByte Ransomware + - Crypto Stealer + - XMRig asset_type: Endpoint confidence: 100 impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services. + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to disable services. mitre_attack_id: - T1489 observable: diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index c68c383ee9..36bdf29052 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,18 +1,39 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 4 -date: '2024-09-30' +version: '5' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities. +description: The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, + or `icacls.exe` to change file or folder permissions. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process names and command-line + executions. This activity is significant as it may indicate an adversary attempting + to restrict access to malware components or artifacts on a compromised system. If + confirmed malicious, this behavior could prevent users from deleting or accessing + critical files, aiding in the persistence and concealment of malicious activities. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id values(Processes.process_name) as process_name + count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" + OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process + Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. + Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ drilldown_searches: @@ -21,19 +42,26 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - Azorult - Windows Post-Exploitation - Prestige Ransomware + - XMRig + - Crypto Stealer asset_type: Endpoint confidence: 100 impact: 80 - message: An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions. + message: An excessive amount of $process_name$ was executed on $dest$ attempting + to modify permissions. mitre_attack_id: - T1222 observable: diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 331e4ae543..f81eb1785e 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,18 +1,34 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects excessive usage of the `sc.exe` service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where `sc.exe` is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses. +description: The following analytic detects excessive usage of the `sc.exe` service + utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances + where `sc.exe` is executed more frequently than normal within a 15-minute window. + This behavior is significant as it is commonly associated with ransomware, cryptocurrency + miners, and other malware attempting to create, modify, delete, or disable services, + potentially related to security applications or for privilege escalation. If confirmed + malicious, this activity could allow attackers to manipulate critical services, + leading to system compromise or disruption of security defenses. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | stats values(process) as process count as numScExe by dest, _time | eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. -known_false_positives: excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission. +search: '`sysmon` EventCode = 1 process_name = "sc.exe" | bucket _time span=15m | + stats values(process) as process count as numScExe by dest, _time | eventstats + avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest + | eval upperThreshold=(avgScExe + stdScExe *3) | eval isOutlier=if(avgScExe > + 5 and avgScExe >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_usage_of_sc_service_utility_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used. +known_false_positives: excessive execution of sc.exe is quite suspicious since it + can modify or execute app in high privilege permission. references: - https://app.any.run/tasks/c0f98850-af65-4352-9746-fbebadee4f05/ drilldown_searches: @@ -21,13 +37,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Ransomware - Azorult + - Ransomware + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index d84d915514..917a20b309 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,17 +1,37 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 4 -date: '2024-09-30' +version: '5' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies excessive usage of `taskkill.exe`, a command-line utility used to terminate processes. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` is executed ten or more times within a one-minute span. This behavior is significant as adversaries often use `taskkill.exe` to disable security tools or other critical processes to evade detection. If confirmed malicious, this activity could allow attackers to bypass security defenses, maintain persistence, and further compromise the system. +description: The following analytic identifies excessive usage of `taskkill.exe`, + a command-line utility used to terminate processes. The detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on instances where `taskkill.exe` + is executed ten or more times within a one-minute span. This behavior is significant + as adversaries often use `taskkill.exe` to disable security tools or other critical + processes to evade detection. If confirmed malicious, this activity could allow + attackers to bypass security defenses, maintain persistence, and further compromise + the system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by + Processes.parent_process_name Processes.process_name Processes.dest Processes.user + _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -22,21 +42,28 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - Azorult - - CISA AA22-264A - AgentTesla - CISA AA22-277A - NjRAT + - CISA AA22-264A + - XMRig + - Crypto Stealer asset_type: Endpoint confidence: 70 impact: 40 - message: Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. + message: Excessive usage of taskkill.exe with process id $process_id$ (more than + 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$. mitre_attack_id: - T1562.001 - T1562 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 75d4463450..59a2e517d2 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,23 +1,35 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 5 -date: '2024-11-28' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat. +description: The following analytic identifies the creation of executables or scripts + in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem + data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created + in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is + significant as adversaries often use these paths to evade detection and maintain + persistence. If confirmed malicious, this behavior could allow attackers to execute + unauthorized code, escalate privileges, or persist within the environment, posing + a significant security threat. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where - Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND - Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*") - by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as + file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*", + "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", + "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*") + by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in the paths specified. Filter as needed. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in the paths + specified. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -29,50 +41,57 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: + - Volt Typhoon + - LockBit Ransomware + - Data Destruction + - Snake Keylogger + - XMRig + - DarkGate Malware + - Chaos Ransomware - Double Zero Destructor + - Hermetic Wiper + - Warzone RAT + - AcidPour - Graceful Wipe Out Attack - - AsyncRAT - - WhisperGate - - DarkGate Malware - - AgentTesla - - Brute Ratel C4 + - BlackByte Ransomware + - IcedID - NjRAT - - RedLine Stealer + - Handala Wiper + - Meduza Stealer + - CISA AA23-347A + - AsyncRAT + - Amadey + - Industroyer2 + - ValleyRAT - Rhysida Ransomware - - Swift Slicer - - IcedID - DarkCrystal RAT - - Chaos Ransomware - - PlugX - - Industroyer2 + - Crypto Stealer - Azorult - - Remcos - - XMRig + - Swift Slicer + - AgentTesla - Qakbot - - Volt Typhoon - - Hermetic Wiper - - Warzone RAT + - Remcos - Trickbot - - Amadey - - BlackByte Ransomware - - LockBit Ransomware - - CISA AA23-347A - - Data Destruction - - Snake Keylogger - - AcidPour - - Handala Wiper + - Brute Ratel C4 + - RedLine Stealer + - PlugX - MoonPeak - - ValleyRAT - - Meduza Stealer + - WhisperGate asset_type: Endpoint confidence: 50 impact: 40 - message: Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$ + message: Suspicious executable or scripts with file name $file_name$, $file_path$ + and process_id $process_id$ executed in suspicious file path in Windows by $user$ mitre_attack_id: - T1036 observable: diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 328268b77a..73cad59c98 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,7 +1,7 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: '8' -date: '2024-11-28' +version: '9' +date: '2024-12-17' author: Bhavin Patel, Splunk status: production type: TTP @@ -50,10 +50,11 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - Windows Persistence Techniques - Azorult + - Windows Persistence Techniques - Compromised Windows Host - Windows Defense Evasion Tactics + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 90 diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 6835d76660..7f75080cd3 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -1,15 +1,26 @@ name: High Process Termination Frequency id: 17cd75b2-8666-11eb-9ab4-acde48001122 -version: 5 -date: '2024-09-30' +version: '6' +date: '2024-12-17' author: Teoderick Contreras status: production type: Anomaly -description: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss. +description: The following analytic identifies a high frequency of process termination + events on a computer within a short period. It leverages Sysmon EventCode 5 logs + to detect instances where 15 or more processes are terminated within a 3-second + window. This behavior is significant as it is commonly associated with ransomware + attempting to avoid exceptions during file encryption. If confirmed malicious, this + activity could indicate an active ransomware attack, potentially leading to widespread + file encryption and significant data loss. data_source: - Sysmon EventID 5 -search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `high_process_termination_frequency_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Image (process full path of terminated process) from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=5 |bin _time span=3s |stats values(Image) as proc_terminated + min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID + | where count >= 15 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `high_process_termination_frequency_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Image (process full path of terminated process) from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: admin or user tool that can terminate multiple process. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft @@ -20,20 +31,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Clop Ransomware - LockBit Ransomware - - BlackByte Ransomware - - Rhysida Ransomware + - Clop Ransomware - Snake Keylogger + - Rhysida Ransomware + - BlackByte Ransomware + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 90 - message: High frequency process termination (more than 15 processes within 3s) detected on host $dest$ + message: High frequency process termination (more than 15 processes within 3s) detected + on host $dest$ mitre_attack_id: - T1486 observable: diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index bbb37ece01..d0dc9adb73 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,7 +1,7 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: '4' -date: '2024-11-28' +version: '5' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP @@ -54,8 +54,9 @@ tags: analytic_story: - Azorult - Sandworm Tools - - XMRig - Compromised Windows Host + - XMRig + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 90 diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 9445ecf5d7..8e18f883b8 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,17 +1,37 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 3 -date: '2024-09-30' +version: '5' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects the use of the ICACLS command to grant additional access permissions to files or directories. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process names and command-line arguments. This activity is significant because it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to manipulate file permissions, potentially leading to unauthorized access, data exfiltration, or further system compromise. +type: Anomaly +description: The following analytic detects the use of the ICACLS command to grant + additional access permissions to files or directories. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on specific process names and command-line + arguments. This activity is significant because it is commonly used by Advanced + Persistent Threats (APTs) and coinminer scripts to evade detection and maintain + control over compromised systems. If confirmed malicious, this behavior could allow + attackers to manipulate file permissions, potentially leading to unauthorized access, + data exfiltration, or further system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", + "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process Processes.process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `icacls_grant_command_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: Unknown. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,17 +41,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - Ransomware + - Crypto Stealer + - XMRig asset_type: Endpoint - confidence: 70 - impact: 70 - message: Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$ + confidence: 50 + impact: 50 + message: Process name $process_name$ with grant argument executed by $user$ to change + security permission of a specific file or directory on host $dest$ mitre_attack_id: - T1222 observable: @@ -55,7 +82,7 @@ tags: - Processes.user - Processes.process_id - Processes.process - risk_score: 49 + risk_score: 25 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 2b22f40390..7b71b2d244 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,17 +1,39 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 11 -date: '2024-10-17' +version: '12' +date: '2024-12-17' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting -description: The following analytic detects the use of the EncodedCommand parameter in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data to identify variations of the EncodedCommand parameter, including shortened forms and different command switch types. This activity is significant because adversaries often use encoded commands to obfuscate malicious scripts, making detection harder. If confirmed malicious, this behavior could allow attackers to execute hidden code, potentially leading to unauthorized access, privilege escalation, or persistent threats within the environment. Review parallel events to determine legitimacy and tune based on known administrative scripts. +description: The following analytic detects the use of the EncodedCommand parameter + in PowerShell processes. It leverages Endpoint Detection and Response (EDR) data + to identify variations of the EncodedCommand parameter, including shortened forms + and different command switch types. This activity is significant because adversaries + often use encoded commands to obfuscate malicious scripts, making detection harder. + If confirmed malicious, this behavior could allow attackers to execute hidden code, + potentially leading to unauthorized access, privilege escalation, or persistent + threats within the environment. Review parallel events to determine legitimacy and + tune based on known administrative scripts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013|\u2014|\u2015][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") | `malicious_powershell_process___encoded_command_filter`" -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\ + \ as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user\ + \ Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name\ + \ Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`\ + \ | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|\u2013\ + |\u2014|\u2015][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\"\ + ) | `malicious_powershell_process___encoded_command_filter`" +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: System administrators may use this option, but it's not common. references: - https://regexr.com/662ov @@ -22,17 +44,18 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - Hermetic Wiper - - Malicious PowerShell - - NOBELIUM Group - - WhisperGate - - DarkCrystal RAT - - Qakbot - CISA AA22-320A + - Hermetic Wiper - Sandworm Tools - - Data Destruction + - Qakbot - Volt Typhoon + - NOBELIUM Group + - Data Destruction - Lumma Stealer + - Malicious PowerShell + - DarkCrystal RAT + - WhisperGate + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index abcc1f260d..46322d94ca 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,17 +1,39 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 4 -date: '2024-09-30' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise. +description: The following analytic detects the modification of ACL permissions to + files or folders, making them accessible to everyone or to system account. It leverages + data from Endpoint Detection and Response (EDR) agents, focusing on processes like + "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments. + This activity is significant as it may indicate an adversary attempting to evade + ACLs or access protected files. If confirmed malicious, this could allow unauthorized + access to sensitive data, potentially leading to data breaches or further system + compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe" + OR Processes.process_name = "icacls.exe" OR Processes.process_name = "xcacls.exe") + AND Processes.process = "*/G*" AND (Processes.process = "* everyone:*" OR Processes.process + = "* SYSTEM:*" OR Processes.process = "* S-1-1-0:*") by Processes.parent_process_name + Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modify_acl_permission_to_files_or_folder_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. known_false_positives: administrators may use this command. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -21,11 +43,17 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: + - Crypto Stealer - XMRig asset_type: Endpoint confidence: 80 diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 9f41a164a9..928faecc2b 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -1,18 +1,39 @@ name: Permission Modification using Takeown App id: fa7ca5c6-c9d8-11eb-bce9-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data. +description: The following analytic detects the modification of file or directory + permissions using the takeown.exe Windows application. It leverages data from Endpoint + Detection and Response (EDR) agents, focusing on process execution logs that include + process GUID, process name, and command-line details. This activity is significant + because it is a common technique used by ransomware to take ownership of files or + folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized + access, data encryption, or data destruction, severely impacting the integrity and + availability of critical data. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: takeown.exe is a normal windows application that may used by network operator. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe" + Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process + Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id + Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: takeown.exe is a normal windows application that may used by + network operator. references: - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ drilldown_searches: @@ -21,17 +42,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Ransomware - Sandworm Tools + - Ransomware + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 70 - message: A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$ + message: A suspicious of execution of $process_name$ with process id $process_id$ + and commandline $process$ to modify permission of directory or files in host $dest$ mitre_attack_id: - T1222 observable: diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 972d6b948a..97d5cbea9c 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -1,18 +1,40 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 6 -date: '2024-09-30' +version: '7' +date: '2024-12-17' author: Rico Valdez, Splunk status: production type: TTP -description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment. +description: The following analytic detects the creation or modification of Windows + services using the sc.exe command. It leverages data from Endpoint Detection and + Response (EDR) agents, focusing on process names and command-line arguments. This + activity is significant because manipulating Windows services can be a method for + attackers to establish persistence, escalate privileges, or execute arbitrary code. + If confirmed malicious, this behavior could allow an attacker to maintain long-term + access, disrupt services, or gain control over critical system functions, posing + a severe threat to the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* + config *") by Processes.process_name Processes.parent_process_name Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Using sc.exe to manipulate Windows services is uncommon. However, + there may be legitimate instances of this behavior. It is important to validate + and investigate as appropriate. references: - https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver drilldown_searches: @@ -21,23 +43,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Windows Service Abuse - - DHS Report TA18-074A + - Azorult - Orangeworm Attack Group + - Windows Drivers + - NOBELIUM Group - Windows Persistence Techniques - Disabling Security Tools - - NOBELIUM Group - - Azorult - - Windows Drivers + - Windows Service Abuse + - DHS Report TA18-074A + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 70 - message: A sc process $process_name$ with commandline $process$ to create of configure services in host $dest$ + message: A sc process $process_name$ with commandline $process$ to create of configure + services in host $dest$ mitre_attack_id: - T1543.003 - T1543 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 061285ff6d..da49c97ad9 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -1,18 +1,41 @@ name: Suspicious Process File Path id: 9be25988-ad82-11eb-a14f-acde48001122 -version: 5 -date: '2024-11-28' +version: '7' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment. +description: The following analytic identifies processes running from file paths not + typically associated with legitimate software. It leverages data from Endpoint Detection + and Response (EDR) agents, focusing on specific process paths within the Endpoint + data model. This activity is significant because adversaries often use unconventional + file paths to execute malicious code without requiring administrative privileges. + If confirmed malicious, this behavior could indicate an attempt to bypass security + controls, leading to unauthorized software execution, potential system compromise, + and further malicious activities within the environment. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\windows\\fonts\\*" OR Processes.process_path = "*\\windows\\temp\\*" OR Processes.process_path = "*\\users\\public\\*" OR Processes.process_path = "*\\windows\\debug\\*" OR Processes.process_path = "*\\Users\\Administrator\\Music\\*" OR Processes.process_path = "*\\Windows\\servicing\\*" OR Processes.process_path = "*\\Users\\Default\\*" OR Processes.process_path = "*Recycle.bin*" OR Processes.process_path = "*\\Windows\\Media\\*" OR Processes.process_path = "\\Windows\\repair\\*" OR Processes.process_path = "*\\temp\\*" OR Processes.process_path = "*\\PerfLogs\\*" by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_path IN("*\\windows\\fonts\\*", + "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", + "*\\temp\\*" , "*\\PerfLogs\\*","*\\windows\\tasks\\*", "*:\\programdata\\*") by + Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest + Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Administrators may allow execution of specific binaries in + non-standard paths. Filter as needed. references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -25,49 +48,56 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: + - Volt Typhoon + - LockBit Ransomware + - Data Destruction + - XMRig + - DarkGate Malware + - Chaos Ransomware - Double Zero Destructor + - Hermetic Wiper + - Warzone RAT + - Phemedrone Stealer + - Prestige Ransomware - Graceful Wipe Out Attack + - BlackByte Ransomware + - IcedID + - Handala Wiper + - Meduza Stealer + - CISA AA23-347A - AsyncRAT - - WhisperGate - - Prestige Ransomware - - DarkGate Malware - - AgentTesla - - Brute Ratel C4 - - RedLine Stealer + - Amadey + - Industroyer2 + - ValleyRAT - Rhysida Ransomware - - Swift Slicer - - IcedID - DarkCrystal RAT - - Chaos Ransomware - - PlugX - - Industroyer2 + - Crypto Stealer - Azorult - - Remcos - - XMRig + - Swift Slicer + - AgentTesla - Qakbot - - Volt Typhoon - - Hermetic Wiper - - Warzone RAT + - Remcos - Trickbot - - Amadey - - BlackByte Ransomware - - LockBit Ransomware - - CISA AA23-347A - - Data Destruction - - Phemedrone Stealer - - Handala Wiper + - Brute Ratel C4 + - RedLine Stealer + - PlugX - MoonPeak - - ValleyRAT - - Meduza Stealer + - WhisperGate asset_type: Endpoint confidence: 50 impact: 70 - message: Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ + message: Suspicious process $process_name$ running from a suspicious process path- + $process_path$ on host- $dest$ mitre_attack_id: - T1543 observable: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 3b2a40cac0..cb80824bc0 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,18 +1,42 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of scheduled tasks that execute binaries or scripts from public directories, such as users\public, \programdata\, or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon Event ID 1 data to detect this behavior. This activity is significant because it often indicates an attempt to maintain persistence or execute malicious scripts, which are common tactics in malware deployment. If confirmed as malicious, this could lead to data compromise, unauthorized access, and potential lateral movement within the network. +description: The following analytic identifies the creation of scheduled tasks that + execute binaries or scripts from public directories, such as users\public, \programdata\, + or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon + Event ID 1 data to detect this behavior. This activity is significant because it + often indicates an attempt to maintain persistence or execute malicious scripts, + which are common tactics in malware deployment. If confirmed as malicious, this + could lead to data compromise, unauthorized access, and potential lateral movement + within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: The main source of false positives could be the legitimate use of scheduled tasks from these directories. Careful tuning of this search may be necessary to suit the specifics of your environment, reducing the rate of false positives. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe + (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR + Processes.process=*windows\\temp*) Processes.process=*/create* by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: The main source of false positives could be the legitimate + use of scheduled tasks from these directories. Careful tuning of this search may + be necessary to suit the specifics of your environment, reducing the rate of false + positives. references: - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: @@ -21,21 +45,27 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Azorult - - Ryuk Ransomware - - Scheduled Tasks - - Ransomware - - Windows Persistence Techniques - - Living Off The Land - - DarkCrystal RAT - - CISA AA23-347A - MoonPeak - CISA AA24-241A + - Windows Persistence Techniques + - CISA AA23-347A + - Ransomware + - Scheduled Tasks + - Ryuk Ransomware + - Crypto Stealer + - DarkCrystal RAT + - Living Off The Land asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml index f942569055..8084ca1e11 100644 --- a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml +++ b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml @@ -61,6 +61,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index bfa49d58ee..9ab54fd2cb 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -1,7 +1,7 @@ name: Windows AutoIt3 Execution id: 0ecb40d9-492b-4a57-9f87-515dd742794c -version: 4 -date: '2024-09-30' +version: '5' +date: '2024-12-17' author: Michael Haag, Splunk status: production type: TTP @@ -9,10 +9,31 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the execution of AutoIt3, a scripting language often used for automating Windows GUI tasks and general scripting. It identifies instances where AutoIt3 or its variants are executed by searching for process names or original file names matching 'autoit3.exe'. This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware. If confirmed malicious, this activity could lead to unauthorized code execution, system compromise, or further propagation of malware within the environment. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives may be present if the application is legitimately used, filter by user or endpoint as needed. +description: The following analytic detects the execution of AutoIt3, a scripting + language often used for automating Windows GUI tasks and general scripting. It identifies + instances where AutoIt3 or its variants are executed by searching for process names + or original file names matching 'autoit3.exe'. This activity is significant because + attackers frequently use AutoIt3 to automate malicious actions, such as executing + malware. If confirmed malicious, this activity could lead to unauthorized code execution, + system compromise, or further propagation of malware within the environment. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("autoit3.exe", + "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe") + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_autoit3_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives may be present if the application is legitimately + used, filter by user or endpoint as needed. references: - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-25-IOCs-from-DarkGate-activity.txt drilldown_searches: @@ -21,18 +42,25 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - DarkGate Malware + - Crypto Stealer - Handala Wiper + - DarkGate Malware asset_type: Endpoint atomic_guid: [] confidence: 100 impact: 50 - message: Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by + message: Execution of AutoIt3 detected. The source process is $parent_process_name$ + and the destination process is $process_name$ on $dest$ by mitre_attack_id: - T1059 observable: diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 743156d77b..8267b2bf57 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,16 +1,30 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the creation of files in the Windows %startup% folder, a common persistence technique. It leverages the Endpoint.Filesystem data model to identify file creation events in this specific directory. This activity is significant because adversaries often use the startup folder to ensure their malicious code executes automatically upon system boot or user logon. If confirmed malicious, this could allow attackers to maintain persistence on the host, potentially leading to further system compromise and unauthorized access to sensitive information. +description: The following analytic detects the creation of files in the Windows %startup% + folder, a common persistence technique. It leverages the Endpoint.Filesystem data + model to identify file creation events in this specific directory. This activity + is significant because adversaries often use the startup folder to ensure their + malicious code executes automatically upon system boot or user logon. If confirmed + malicious, this could allow attackers to maintain persistence on the host, potentially + leading to further system compromise and unauthorized access to sensitive information. data_source: - Sysmon EventID 11 -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in this path. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path = "*\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\\*" by Filesystem.file_create_time Filesystem.process_id + Filesystem.file_name Filesystem.user Filesystem.file_path Filesystem.process_guid + Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_boot_or_logon_autostart_execution_in_startup_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the Filesystem responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in this + path. references: - https://attack.mitre.org/techniques/T1204/002/ - https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia @@ -20,15 +34,21 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Chaos Ransomware - NjRAT - RedLine Stealer - Gozi Malware + - Crypto Stealer + - Chaos Ransomware asset_type: Endpoint confidence: 90 impact: 90 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 91e1238744..240bde942d 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,7 +1,7 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 5 -date: '2024-09-30' +version: '6' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -9,10 +9,32 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic identifies the use of taskkill.exe to forcibly terminate processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions that include specific taskkill parameters. This activity is significant because it can indicate attempts to disable security tools or disrupt legitimate applications, a common tactic in malware operations. If confirmed malicious, this behavior could allow attackers to evade detection, disrupt system stability, and potentially gain further control over the compromised system. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_modify_tools_via_taskkill_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Network administrator can use this application to kill process during audit or investigation. +description: The following analytic identifies the use of taskkill.exe to forcibly + terminate processes. It leverages data from Endpoint Detection and Response (EDR) + agents, focusing on command-line executions that include specific taskkill parameters. + This activity is significant because it can indicate attempts to disable security + tools or disrupt legitimate applications, a common tactic in malware operations. + If confirmed malicious, this behavior could allow attackers to evade detection, + disrupt system stability, and potentially gain further control over the compromised + system. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" + Processes.process IN ("* /f*", "* /t*") Processes.process IN ("* /im*", "* /pid*") + by Processes.parent_process_name Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_disable_or_modify_tools_via_taskkill_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Network administrator can use this application to kill process + during audit or investigation. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: @@ -21,13 +43,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - NjRAT - PXA Stealer + - NjRAT + - Crypto Stealer asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 9852179d8a..19f87dbfcc 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -63,6 +63,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml index 2fcb2a13fe..9d4f965dcd 100644 --- a/detections/endpoint/windows_remote_management_execute_shell.yml +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -70,6 +70,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://github.com/splunk/contentctl/wiki + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index cbdf0d19b7..e07a5d2ccc 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -1,19 +1,25 @@ name: Windows Screen Capture in TEMP folder id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c -version: 1 -date: '2024-09-24' +version: '2' +date: '2024-12-17' author: Teoderick Contreras, Splunk data_sources: - Sysmon Event ID 11 type: TTP status: production -description: The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised. -search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem - where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" - by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` +description: The following analytic detects the creation of screen capture files by + the Braodo stealer malware. This stealer is known to capture screenshots of the + victim's desktop as part of its data theft activities. The detection focuses on + identifying unusual screen capture activity, especially when images are saved in + directories often used by malware, such as temporary or hidden folders. Monitoring + for these files helps to quickly identify malicious screen capture attempts, allowing + security teams to respond and mitigate potential information exposure before sensitive + data is compromised. +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("screenshot.png", + "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" by _time + Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_screen_capture_in_temp_folder_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from @@ -30,11 +36,17 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: + - Crypto Stealer - Braodo Stealer asset_type: Endpoint confidence: 80 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 934a861942..0d0b564329 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,16 +1,30 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 7 -date: '2024-09-30' +version: '8' +date: '2024-12-17' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. +description: The following analytic detects the creation of a Windows Service with + a binary path located in uncommon directories, using Windows Event ID 7045. It leverages + logs from the `wineventlog_system` to identify services installed outside typical + system directories. This activity is significant as adversaries, including those + deploying Clop ransomware, often create malicious services for lateral movement, + remote code execution, persistence, and execution. If confirmed malicious, this + could allow attackers to maintain persistence, execute arbitrary code, and potentially + escalate privileges, posing a severe threat to the environment. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: Legitimate applications may install services with uncommon services paths. +search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath IN + ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath + ServiceName ServiceType StartType Computer UserID | rename Computer as dest| `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_path_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon + services paths. references: - https://www.mandiant.com/resources/fin11-email-campaigns-precursor-for-ransomware-data-theft - https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html @@ -20,23 +34,30 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Clop Ransomware - - Active Directory Lateral Movement - - Brute Ratel C4 - Qakbot - - Snake Malware + - CISA AA23-347A - Flax Typhoon + - Clop Ransomware + - Brute Ratel C4 - PlugX - - CISA AA23-347A + - Active Directory Lateral Movement + - Crypto Stealer + - Snake Malware asset_type: Endpoint confidence: 80 impact: 70 - message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$ + message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ + on $dest$ mitre_attack_id: - T1569 - T1569.002 diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index ae49992523..408380ac63 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,17 +1,23 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 6 -date: '2024-11-14' +version: '7' +date: '2024-12-17' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP -description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes. +description: The following analytic detects the modification of registry keys that + define Windows services using reg.exe. This detection leverages Splunk to search + for specific keywords in the registry path, value name, and value data fields. This + activity is significant because it indicates potential unauthorized changes to service + configurations, a common persistence technique used by attackers. If confirmed malicious, + this could allow an attacker to maintain access, escalate privileges, or move laterally + within the network, leading to data theft, ransomware, or other damaging outcomes. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name - = ImagePath) BY Registry.dest Registry.user Registry.registry_path +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" + Registry.registry_value_name = ImagePath) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`' @@ -29,22 +35,29 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Active Directory Lateral Movement - - Suspicious Windows Registry Activities - Windows Persistence Techniques + - CISA AA23-347A - Windows Registry Abuse - Brute Ratel C4 - PlugX - - CISA AA23-347A + - Suspicious Windows Registry Activities + - Active Directory Lateral Movement + - Crypto Stealer asset_type: Endpoint confidence: 80 impact: 80 - message: A Windows Service was created on a endpoint from $dest$ using a registry entry + message: A Windows Service was created on a endpoint from $dest$ using a registry + entry mitre_attack_id: - T1574.011 observable: diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index 95df38040e..7ae071669e 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -1,17 +1,35 @@ name: Windows Service Deletion In Registry id: daed6823-b51c-4843-a6ad-169708f1323e -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects the deletion of a service from the Windows Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry datamodel, specifically monitoring registry paths and actions related to service deletion. This activity is significant as adversaries may delete services to evade detection and hinder incident response efforts. If confirmed malicious, this action could disrupt legitimate services, impair system functionality, and potentially allow attackers to maintain a lower profile within the environment, complicating detection and remediation efforts. +description: The following analytic detects the deletion of a service from the Windows + Registry under CurrentControlSet\Services. It leverages data from the Endpoint.Registry + datamodel, specifically monitoring registry paths and actions related to service + deletion. This activity is significant as adversaries may delete services to evade + detection and hinder incident response efforts. If confirmed malicious, this action + could disrupt legitimate services, impair system functionality, and potentially + allow attackers to maintain a lower profile within the environment, complicating + detection and remediation efforts. data_source: - Sysmon EventID 12 - Sysmon EventID 13 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored. -known_false_positives: This event can be seen when administrator delete a service or uninstall/reinstall a software that creates service entry, but it is still recommended to check this alert with high priority. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*" + AND (Registry.action = deleted OR (Registry.registry_value_name = DeleteFlag AND + Registry.registry_value_data = 0x00000001 AND Registry.action=modified)) by Registry.registry_key_name + Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_value_name + Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_deletion_in_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure + that this registry was included in your config files ex. sysmon config to be monitored. +known_false_positives: This event can be seen when administrator delete a service + or uninstall/reinstall a software that creates service entry, but it is still recommended + to check this alert with high priority. references: - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ drilldown_searches: @@ -20,13 +38,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - Brute Ratel C4 - PlugX + - Crypto Stealer + - Brute Ratel C4 asset_type: Endpoint confidence: 30 impact: 60 diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 0d00fde6cb..025b3abf8c 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,18 +1,40 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the use of `sc.exe` to delete a Windows service. It leverages Endpoint Detection and Response (EDR) data, focusing on process execution logs that capture command-line arguments. This activity is significant because adversaries often delete services to disable security mechanisms or critical system functions, aiding in evasion and persistence. If confirmed malicious, this action could lead to the termination of essential security services, allowing attackers to operate undetected and potentially escalate their privileges or maintain long-term access to the compromised system. +description: The following analytic detects the use of `sc.exe` to delete a Windows + service. It leverages Endpoint Detection and Response (EDR) data, focusing on process + execution logs that capture command-line arguments. This activity is significant + because adversaries often delete services to disable security mechanisms or critical + system functions, aiding in evasion and persistence. If confirmed malicious, this + action could lead to the termination of essential security services, allowing attackers + to operate undetected and potentially escalate their privileges or maintain long-term + access to the compromised system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible administrative scripts may start/stop/delete services. Filter as needed. +search: '| tstats `security_content_summariesonly` values(Processes.process) as process + min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) + Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process_name + Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible administrative scripts may start/stop/delete + services. Filter as needed. references: - https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ @@ -23,17 +45,24 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Azorult - Graceful Wipe Out Attack + - Crypto Stealer asset_type: Endpoint confidence: 70 impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to delete a service. + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ attempting to delete a service. mitre_attack_id: - T1489 observable: diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml index a610acb064..2eedffa6ef 100644 --- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml +++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml @@ -1,18 +1,39 @@ name: Windows Service Stop Via Net and SC Application id: 827af04b-0d08-479b-9b84-b7d4644e4b80 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies attempts to stop services on a system using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and command-line executions. This activity is significant as adversaries often terminate security or critical services to evade detection and further their objectives. If confirmed malicious, this behavior could allow attackers to disable security defenses, facilitate ransomware encryption, or disrupt essential services, leading to potential data loss or system compromise. +description: The following analytic identifies attempts to stop services on a system + using `net.exe` or `sc.exe`. It leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process names, GUIDs, and command-line executions. This + activity is significant as adversaries often terminate security or critical services + to evade detection and further their objectives. If confirmed malicious, this behavior + could allow attackers to disable security defenses, facilitate ransomware encryption, + or disrupt essential services, leading to potential data loss or system compromise. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Windows OS or software may stop and restart services due to some critical update. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name + = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*" + by Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid + Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_service_stop_via_net__and_sc_application_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Windows OS or software may stop and restart services due to + some critical update. references: - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ drilldown_searches: @@ -21,13 +42,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - Prestige Ransomware - Graceful Wipe Out Attack + - Crypto Stealer asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index 5208b98aba..9c2bfc1cd6 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -1,22 +1,38 @@ name: Windows System File on Disk id: 993ce99d-9cdd-42c7-a2cf-733d5954e5a6 -version: 4 -date: '2024-10-17' +version: '5' +date: '2024-12-17' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms. +description: The following analytic detects the creation of new .sys files on disk. + It leverages the Endpoint.Filesystem data model to identify and log instances where + .sys files are written to the filesystem. This activity is significant because .sys + files are often used as kernel mode drivers, and their unauthorized creation can + indicate malicious activity such as rootkit installation. If confirmed malicious, + this could allow an attacker to gain kernel-level access, leading to full system + compromise, persistent control, and the ability to bypass security mechanisms. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). This will level out the noise generated to potentally lead to generating notables. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.sys*" + by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name + Filesystem.file_path Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | + `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_system_file_on_disk_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on files from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. + In addition, confirm the latest CIM App 4.20 or higher is installed and the latest + TA for the endpoint product. In addition, filtering may occur by adding NOT (Filesystem.file_path + IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", "system32\*")). + This will level out the noise generated to potentally lead to generating notables. known_false_positives: False positives will be present. Filter as needed. references: - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ tags: analytic_story: - - Windows Drivers - CISA AA22-264A + - Windows Drivers + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 20 diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index acac29b5ee..41a30da811 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -1,26 +1,49 @@ name: Windows System User Discovery Via Quser id: 0c3f3e09-e47a-410e-856f-a02a5c5fafb0 -version: 3 -date: '2024-10-17' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges. +description: The following analytic detects the execution of the Windows OS tool quser.exe, + commonly used to gather information about user sessions on a Remote Desktop Session + Host server. This detection leverages data from Endpoint Detection and Response + (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial + as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware + attacks to enumerate user sessions. If confirmed malicious, attackers could leverage + this information to further compromise the system, maintain persistence, or escalate + privileges. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_user_discovery_via_quser_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network administrator can use this command tool to audit RDP access of user in specific network or host. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe" + OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name + Processes.process Processes.process_id Processes.process_guid Processes.parent_process_name + Processes.parent_process Processes.parent_process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_system_user_discovery_via_quser_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: network administrator can use this command tool to audit RDP + access of user in specific network or host. references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/quser - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS - https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ tags: analytic_story: - - Windows Post-Exploitation - Prestige Ransomware + - Crypto Stealer + - Windows Post-Exploitation asset_type: Endpoint confidence: 30 impact: 30 diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index 29ed54a869..141082b380 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -1,15 +1,27 @@ name: XMRIG Driver Loaded id: 90080fa6-a8df-11eb-91e4-acde48001122 -version: 3 -date: '2024-09-30' +version: '4' +date: '2024-12-17' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures and image loads. This activity is significant because XMRIG is an open-source CPU miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed malicious, this activity could lead to unauthorized resource consumption, degraded system performance, and potential financial loss due to unauthorized cryptocurrency mining. +description: The following analytic detects the installation of the XMRIG coinminer + driver on a system. It identifies the loading of the `WinRing0x64.sys` driver, commonly + associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific signatures + and image loads. This activity is significant because XMRIG is an open-source CPU + miner frequently exploited by adversaries to mine cryptocurrency illicitly. If confirmed + malicious, this activity could lead to unauthorized resource consumption, degraded + system performance, and potential financial loss due to unauthorized cryptocurrency + mining. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xmrig_driver_loaded_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +search: '`sysmon` EventCode=6 Signature="Noriyuki MIYAZAKI" OR ImageLoaded= "*\\WinRing0x64.sys" + | stats min(_time) as firstTime max(_time) as lastTime count by dest ImageLoaded + Hashes IMPHASH Signature Signed | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `xmrig_driver_loaded_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the driver loaded and Signature from your endpoints. If you are using + Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: False positives should be limited. references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ @@ -19,13 +31,19 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: analytic_story: - - XMRig - CISA AA22-320A + - Crypto Stealer + - XMRig asset_type: Endpoint confidence: 100 impact: 80 diff --git a/stories/crypto_stealer.yml b/stories/crypto_stealer.yml new file mode 100644 index 0000000000..4179a96824 --- /dev/null +++ b/stories/crypto_stealer.yml @@ -0,0 +1,17 @@ +name: Crypto Stealer +id: 71efef85-aec7-46c7-bdaa-693b9d2bef4b +version: 1 +date: '2024-12-17' +author: Teoderick Contreras, Splunk +description: Crypto Stealer is a malware strain designed to exfiltrate cryptocurrency-related data from compromised systems. It scans the infected machine for wallet files, clipboard activity, and other cryptocurrency artifacts, focusing on intercepting sensitive information like private keys or transaction details. The malware communicates with a command-and-control (C2) server to transmit the harvested data and can dynamically adapt its behavior based on instructions received. Detection indicators include unusual network activity to suspicious IP addresses, unauthorized file access targeting cryptocurrency wallet directories, and anomalous clipboard usage associated with cryptocurrency strings (e.g., wallet addresses). Security solutions should monitor for these behaviors and implement heuristic analysis to identify deviations from normal system operations. Users are encouraged to maintain updated endpoint protection and avoid downloading files from untrusted sources to mitigate the risk posed by Crypto Stealer. +narrative: In the ever-evolving landscape of cybercrime, Crypto Stealer emerges as a sophisticated malware targeting the lucrative world of cryptocurrency. By exploiting system vulnerabilities, the malware actively scans for wallet files, clipboard data, and other digital assets, focusing on intercepting sensitive information like private keys and transaction details. Once deployed, Crypto Stealer communicates with a command-and-control (C2) server to exfiltrate stolen data and receive updated instructions for further exploitation. Notably, it often works in tandem with other malicious components, such as XMRig, a widely abused cryptocurrency miner that hijacks system resources for illicit mining operations, and ClipBanker, which manipulates clipboard activity to replace wallet addresses in transactions with those controlled by attackers. These combined tactics maximize the attack's profitability while minimizing the victim's ability to detect the theft. Indicators of compromise include unauthorized access to cryptocurrency wallet files, suspicious clipboard behavior, and outbound connections to known malicious IP addresses. By understanding and recognizing these patterns, defenders can develop effective strategies to detect and mitigate threats like Crypto Stealer before significant damage occurs. + +references: [] +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 95be36ea2bf7b6e9ddc74034a7a02f9b625836bb Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Dec 2024 11:55:42 +0100 Subject: [PATCH 03/13] crypto_campaign --- .../windows_account_access_removal_via_quser_logoff.yml | 2 +- .../windows_obfuscated_files_or_information_via_rar_sfx.yml | 2 +- detections/endpoint/windows_remote_management_execute_shell.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml index 8084ca1e11..530f9e1d2b 100644 --- a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml +++ b/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml @@ -30,7 +30,7 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - UPDATE_STORY_NAME + - Crypto Stealer asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 19f87dbfcc..0949e047e1 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -31,7 +31,7 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - UPDATE_STORY_NAME + - Crypto Stealer asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml index 9d4f965dcd..db9fe3dbfe 100644 --- a/detections/endpoint/windows_remote_management_execute_shell.yml +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -32,7 +32,7 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: - - UPDATE_STORY_NAME + - Crypto Stealer asset_type: Endpoint confidence: 30 impact: 30 From 3db1a7e77fd92c0fa22757eb7ac05770d78caf3d Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Dec 2024 14:20:51 +0100 Subject: [PATCH 04/13] crypto_campaign --- ...fuscated_files_or_information_via_rar_sfx.yml | 4 ++-- ...windows_powershell_logoff_user_via_quser.yml} | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) rename detections/endpoint/{windows_account_access_removal_via_quser_logoff.yml => windows_powershell_logoff_user_via_quser.yml} (91%) diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 0949e047e1..75c46cf773 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -5,9 +5,9 @@ date: '2024-12-12' author: Teoderick Contreras, Splunk data_sources: - Sysmon Event ID 11 -type: TTP +type: Anomaly status: production -description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. +description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. kind: endpoint search: '`sysmon` EventCode=11 Image="*.exe" TargetFilename IN ("*__tmp_rar_sfx_access_check*") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer diff --git a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml similarity index 91% rename from detections/endpoint/windows_account_access_removal_via_quser_logoff.yml rename to detections/endpoint/windows_powershell_logoff_user_via_quser.yml index 530f9e1d2b..1300d56e6a 100644 --- a/detections/endpoint/windows_account_access_removal_via_quser_logoff.yml +++ b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml @@ -1,20 +1,20 @@ -name: 'Windows Account Access Removal via Quser LogOff' +name: 'Windows Powershell Logoff User via Quser' id: 6d70780d-4cfe-4820-bafd-1b43941986b5 version: 1 date: '2024-12-12' author: Teoderick Contreras, Splunk data_sources: - Powershell Script Block Logging 4104 -type: TTP +type: Anomaly status: production description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. kind: endpoint -search: '`powershell` EventCode=4104 ScriptBlockText = "*quser*" ScriptBlockText = "*logoff*" +search: '`powershell` EventCode=4104 ScriptBlockText = "*quser*logoff*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText UserID Computer | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_account_access_removal_via_quser_logoff_filter`' + | `windows_powershell_logoff_user_via_quser_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command. references: @@ -32,11 +32,13 @@ tags: analytic_story: - Crypto Stealer asset_type: Endpoint - confidence: 70 - impact: 70 + confidence: 30 + impact: 30 message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$]. mitre_attack_id: - T1531 + - T1059.001 + - T1059 observable: - name: dest type: Hostname @@ -56,7 +58,7 @@ tags: - Message - dest - user - risk_score: 49 + risk_score: 9 security_domain: endpoint tests: - name: True Positive Test From 6581cc66463b8469c771b6973a9dcd860f9e447b Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Dec 2024 14:39:20 +0100 Subject: [PATCH 05/13] crypto_campaign --- ...rectory_permissions_enable_inheritance.yml | 71 +++++++++++++++++++ ...rectory_permissions_remove_inheritance.yml | 71 +++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml create mode 100644 detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml new file mode 100644 index 0000000000..3cab7d6b4a --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml @@ -0,0 +1,71 @@ +name: Windows File and Directory Permissions Enable Inheritance +id: 0247f90a-aca4-47b2-a94d-e30f445d7b41 +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Hunting +status: production +description: The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access. +kind: endpoint +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:e*" + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_permissions_enable_inheritance_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + confidence: 25 + impact: 25 + message: A [$process_name$] was executed on [$dest$] attempting to enable inheritance permissions. + mitre_attack_id: + - T1222.001 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.process + - Processes.process_guid + - Processes.process_name + - Processes.parent_process_name + - Processes.dest + - Processes.user + - Processes.parent_process + risk_score: 5 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml new file mode 100644 index 0000000000..bd2b142207 --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml @@ -0,0 +1,71 @@ +name: Windows File and Directory Permissions Remove Inheritance +id: 9b62da2c-e442-474f-83ca-fac4dabab1b3 +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Anomaly +status: production +description: The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls. +kind: endpoint +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:r*" + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_permissions_remove_inheritance_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A [$process_name$] was executed on [$dest$] attempting to remove inheritance permissions. + mitre_attack_id: + - T1222.001 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.process + - Processes.process_guid + - Processes.process_name + - Processes.parent_process_name + - Processes.dest + - Processes.user + - Processes.parent_process + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From 4a5edfb3f43674ab7850c472c0baf992b599c09e Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Dec 2024 14:41:45 +0100 Subject: [PATCH 06/13] crypto_campaign --- .../windows_obfuscated_files_or_information_via_rar_sfx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 75c46cf773..1af9691ace 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -9,7 +9,7 @@ type: Anomaly status: production description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery. kind: endpoint -search: '`sysmon` EventCode=11 Image="*.exe" TargetFilename IN ("*__tmp_rar_sfx_access_check*") +search: '`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*") | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer | rename Computer as dest | rename TargetFilename as file_name From 96ce18730fcdfcf68742805befbab0e981a51562 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 18 Dec 2024 16:07:43 +0100 Subject: [PATCH 07/13] crypto_campaign --- ...removal_via_powershell_initiate_logoff.yml | 70 ++++++++++++++++++ ...ctional_communication_via_telegram_bot.yml | 67 +++++++++++++++++ ..._directory_enable_readonly_permissions.yml | 74 +++++++++++++++++++ 3 files changed, 211 insertions(+) create mode 100644 detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml create mode 100644 detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml create mode 100644 detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml diff --git a/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml b/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml new file mode 100644 index 0000000000..b72b7a53e2 --- /dev/null +++ b/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml @@ -0,0 +1,70 @@ +name: 'Windows Account Access Removal via Powershell Initiate Logoff' +id: 223572ab-8768-4e20-9b39-c38707af80dc +version: 1 +date: '2024-12-17' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: Anomaly +status: production +description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. +kind: endpoint +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.parent_process_name = powershell.exe AND Processes.process_name = logoff.exe + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_account_access_removal_via_powershell_initiate_logoff_filter`' +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: Administrators or power users may use this command. +references: +- https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + confidence: 50 + impact: 50 + message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$]. + mitre_attack_id: + - T1531 + - T1059.001 + - T1059 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - dest + - user + risk_score: 25 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_logoff.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml b/detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml new file mode 100644 index 0000000000..df76899b85 --- /dev/null +++ b/detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml @@ -0,0 +1,67 @@ +name: Windows Bidirectional Communication via Telegram Bot +id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e +version: 1 +date: '2024-12-12' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 22 +type: Anomaly +status: production +description: The following analytic detects the use of DNS API calls associated with Telegram, which may indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network. +kind: endpoint +search: '`sysmon` EventCode=22 query = "api.telegram.org" + | stats count min(_time) as firstTime max(_time) as lastTime by query answer QueryResults QueryStatus process_name process_guid Computer + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_bidirectional_communication_via_telegram_bot_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: a third part automation using telegram API. +references: +- https://www.splunk.com/en_us/blog/security/threat-advisory-telegram-crypto-botnet-strt-ta01.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + confidence: 30 + impact: 30 + message: a DNS query to [$query$] on [$dest$]. + mitre_attack_id: + - T1102.002 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Image + - QueryName + - QueryStatus + - ProcessId + - dest + risk_score: 9 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_dns.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml new file mode 100644 index 0000000000..8c9a919006 --- /dev/null +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -0,0 +1,74 @@ +name: Windows File and Directory Enable ReadOnly Permissions +id: 1ae407b0-a042-4eb0-834a-590da055575e +version: 1 +date: '2024-12-13' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +type: TTP +status: production +description: The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated. +kind: endpoint +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") + by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user + | `drop_dm_object_name(Processes)` + | rex field=process ":\\((?[^)]+)\\)" + | eval has_write_execute=if(match(permission, "(W|GE|X|M|F)"), "true", "false") + | where has_write_execute="false" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_and_directory_enable_readonly_permissions_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators or administrative scripts may use this application. Filter as needed. +references: +- https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Crypto Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A [$process_name$] was executed on [$dest$] attempting to change the access to a file or directory into readonly permissions. + mitre_attack_id: + - T1222.001 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.process + - Processes.process_guid + - Processes.process_name + - Processes.parent_process_name + - Processes.dest + - Processes.user + - Processes.parent_process + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From aa34aa3131f22d0fa82007d6b3febf7bf31170f5 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 18 Dec 2024 16:11:24 +0100 Subject: [PATCH 08/13] crypto_campaign --- ...ws_account_access_removal_via_powershell_initiate_logoff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml b/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml index b72b7a53e2..f6347133d3 100644 --- a/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml +++ b/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml @@ -36,7 +36,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$]. + message: Powershell process having child process [$process_name$] used to logoff user on [$dest$]. mitre_attack_id: - T1531 - T1059.001 From 9153947933561e9ad71643c2368f484338895ac5 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 8 Jan 2025 10:12:01 +0100 Subject: [PATCH 09/13] crypto_campaign --- ...indows_account_access_removal_via_logoff_exec.yml} | 8 ++++---- ...windows_dns_query_request_by_telegram_bot_api.yml} | 11 +++++++---- 2 files changed, 11 insertions(+), 8 deletions(-) rename detections/endpoint/{windows_account_access_removal_via_powershell_initiate_logoff.yml => windows_account_access_removal_via_logoff_exec.yml} (90%) rename detections/endpoint/{windows_bidirectional_communication_via_telegram_bot.yml => windows_dns_query_request_by_telegram_bot_api.yml} (74%) diff --git a/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml similarity index 90% rename from detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml rename to detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index f6347133d3..1e6afcd776 100644 --- a/detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -1,4 +1,4 @@ -name: 'Windows Account Access Removal via Powershell Initiate Logoff' +name: 'Windows Account Access Removal via Logoff Exec' id: 223572ab-8768-4e20-9b39-c38707af80dc version: 1 date: '2024-12-17' @@ -11,12 +11,12 @@ status: production description: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation. kind: endpoint search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.parent_process_name = powershell.exe AND Processes.process_name = logoff.exe + where Processes.process_name = logoff.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_account_access_removal_via_powershell_initiate_logoff_filter`' + | `windows_account_access_removal_via_logoff_exec_filter`' how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Administrators or power users may use this command. references: @@ -36,7 +36,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: Powershell process having child process [$process_name$] used to logoff user on [$dest$]. + message: Process having child process [$process_name$] used to logoff user on [$dest$]. mitre_attack_id: - T1531 - T1059.001 diff --git a/detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml b/detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml similarity index 74% rename from detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml rename to detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml index df76899b85..ea311fb08f 100644 --- a/detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml +++ b/detections/endpoint/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,4 +1,4 @@ -name: Windows Bidirectional Communication via Telegram Bot +name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e version: 1 date: '2024-12-12' @@ -7,14 +7,14 @@ data_sources: - Sysmon EventID 22 type: Anomaly status: production -description: The following analytic detects the use of DNS API calls associated with Telegram, which may indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network. +description: The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network. kind: endpoint -search: '`sysmon` EventCode=22 query = "api.telegram.org" +search: '`sysmon` EventCode=22 query = "api.telegram.org" process_name != "telegram.exe" | stats count min(_time) as firstTime max(_time) as lastTime by query answer QueryResults QueryStatus process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_bidirectional_communication_via_telegram_bot_filter`' + | `windows_dns_query_request_by_telegram_bot_api_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: a third part automation using telegram API. references: @@ -37,6 +37,9 @@ tags: message: a DNS query to [$query$] on [$dest$]. mitre_attack_id: - T1102.002 + - T1071.004 + - T1071 + - T1102 observable: - name: dest type: Hostname From 185a5b8a109b0dc04339d4e2d9c881917e15c059 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 8 Jan 2025 10:32:39 +0100 Subject: [PATCH 10/13] crypto_campaign --- .../windows_file_and_directory_enable_readonly_permissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index 8c9a919006..7e903eff3c 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process ":\\((?[^)]+)\\)" - | eval has_write_execute=if(match(permission, "(W|GE|X|M|F)"), "true", "false") + | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC)"), "true", "false") | where has_write_execute="false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` From 7a46c66392a244cf4accc74d86376c98201614e5 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 8 Jan 2025 10:41:44 +0100 Subject: [PATCH 11/13] crypto_campaign --- ...indows_file_and_directory_enable_readonly_permissions.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index 7e903eff3c..14e1dbd4f0 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -15,8 +15,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process ":\\((?[^)]+)\\)" - | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC)"), "true", "false") - | where has_write_execute="false" + | eval has_read_execute=if(match(permission, "R"), "true", "false") + | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC|DE)"), "true", "false") + | where has_write_execute="false" and has_read_execute = "true" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_and_directory_enable_readonly_permissions_filter`' From 4f75199c0955a13953467959a9dd8a474f23ec6b Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 8 Jan 2025 10:58:40 +0100 Subject: [PATCH 12/13] crypto_campaign --- ...windows_file_and_directory_enable_readonly_permissions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index 14e1dbd4f0..04d6c8fa53 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -15,9 +15,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | rex field=process ":\\((?[^)]+)\\)" - | eval has_read_execute=if(match(permission, "R"), "true", "false") + | eval has_read_attribute=if(match(permission, "R"), "true", "false") | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC|DE)"), "true", "false") - | where has_write_execute="false" and has_read_execute = "true" + | where has_write_execute="false" and has_read_attribute = "true" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_and_directory_enable_readonly_permissions_filter`' From 1e781875acd9c0c0af598ee9501c01a64d85fd18 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 8 Jan 2025 11:12:15 +0100 Subject: [PATCH 13/13] crypto_campaign --- .../windows_file_and_directory_enable_readonly_permissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index 04d6c8fa53..033dcfb9c8 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ | `drop_dm_object_name(Processes)` | rex field=process ":\\((?[^)]+)\\)" | eval has_read_attribute=if(match(permission, "R"), "true", "false") - | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC|DE)"), "true", "false") + | eval has_write_execute=if(match(permission, "(W|GA|X|M|F|AD|DC|DE)"), "true", "false") | where has_write_execute="false" and has_read_attribute = "true" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`