castlerat (#3750)

* castlerat

* castlerat

* castlerat

* castlerat

---------

Co-authored-by: Teoderick Contreras <tcontreras@splunk.com>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>

Author: 3 people

detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml

@@ -1,7 +1,7 @@
 name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API
 id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f
-version: 3
-date: '2025-09-09'
+version: 4
+date: '2025-10-31'
 author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe
 status: production
 type: Anomaly
@@ -14,7 +14,7 @@ description: |
   The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
   processes to reduce noise.
 data_source:
-  - Cisco Network Visibility Module Flow Data
+- Cisco Network Visibility Module Flow Data
 search: |
   `cisco_network_visibility_module_flowdata`
   dest_hostname IN (
@@ -64,45 +64,48 @@ known_false_positives: |
   Internal scripts or agents performing network checks may query IP geolocation services.
   Tune by excluding known tools or adding internal allowlists for destination domains or process names and commandlines.
 references:
-  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml
-  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
+- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
 drilldown_searches:
-  - name: View the detection results for - "$src$"
-    search: '%original_detection_search% | search  src = "$src$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$src$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time)
-      as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
-      as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
-  message: The host $src$ made a network request to IP lookup service $dest_hostname$ using suspicious process $process_path$
+  message: The host $src$ made a network request to IP lookup service 
+    $dest_hostname$ using suspicious process $process_path$
   risk_objects:
-    - field: src
-      type: system
-      score: 40
+  - field: src
+    type: system
+    score: 40
   threat_objects:
-    - field: process_name
-      type: process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
-    - Cisco Network Visibility Module Analytics
+  - Cisco Network Visibility Module Analytics
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
-    - T1590.005
-    - T1016
+  - T1590.005
+  - T1016
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
+  - Splunk Enterprise
+  - Splunk Enterprise Security
   security_domain: endpoint
 tests:
-  - name: True Positive Test - Cisco NVM
-    attack_data:
-      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
-        source: not_applicable
-        sourcetype: cisco:nvm:flowdata
+- name: True Positive Test - Cisco NVM
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
+    source: not_applicable
+    sourcetype: cisco:nvm:flowdata

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 19
-date: '2025-09-30'
+version: 20
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -117,6 +117,7 @@ tags:
   - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
   - Lokibot
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/schedule_task_with_rundll32_command_trigger.yml

@@ -1,27 +1,28 @@
 name: Schedule Task with Rundll32 Command Trigger
 id: 75b00fd8-a0ff-11eb-8b31-acde48001122
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic detects the creation of scheduled tasks in Windows
-  that use the rundll32 command. It leverages Windows Security EventCode 4698, which
-  logs the creation of scheduled tasks, and filters for tasks executed via rundll32.
-  This activity is significant as it is a common technique used by malware, such as
-  TrickBot, to persist in an environment or deliver additional payloads. If confirmed
-  malicious, this could lead to data theft, ransomware deployment, or other damaging
-  outcomes. Immediate investigation and mitigation are crucial to prevent further
-  compromise.
+description: The following analytic detects the creation of scheduled tasks in 
+  Windows that use the rundll32 command. It leverages Windows Security EventCode
+  4698, which logs the creation of scheduled tasks, and filters for tasks 
+  executed via rundll32. This activity is significant as it is a common 
+  technique used by malware, such as TrickBot, to persist in an environment or 
+  deliver additional payloads. If confirmed malicious, this could lead to data 
+  theft, ransomware deployment, or other damaging outcomes. Immediate 
+  investigation and mitigation are crucial to prevent further compromise.
 data_source:
 - Windows Event Log Security 4698
 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN
   ("*rundll32*") | stats count min(_time) as firstTime max(_time) as lastTime by dest,
   Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
-  logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and
-  filter known instances of Task schedule used in your environment.
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting logs with the task schedule (Exa. Security Log EventCode 4698) 
+  endpoints. Tune and filter known instances of Task schedule used in your 
+  environment.
 known_false_positives: unknown
 references:
 - https://labs.vipre.com/trickbot-and-its-modules/
@@ -41,8 +42,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A scheduled task process commandline rundll32 arguments $Arguments$ on
-    host $dest$
+  message: A scheduled task process commandline rundll32 arguments $Arguments$ 
+    on host $dest$
   risk_objects:
   - field: dest
     type: system
@@ -56,6 +57,7 @@ tags:
   - Scheduled Tasks
   - Compromised Windows Host
   - Trickbot
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1053

detections/endpoint/windows_anonymous_pipe_activity.yml

@@ -1,35 +1,34 @@
 name: Windows Anonymous Pipe Activity
 id: ee301e1e-cd81-4011-a911-e5f049b9e3d5
-version: 4
-date: '2025-08-07'
+version: 5
+date: '2025-10-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
-description: "The following analytic detects the creation or connection of anonymous\
-  \ pipes for inter-process communication (IPC) within a Windows environment. Anonymous\
-  \ pipes are commonly used by legitimate system processes, services, and applications\
-  \ to transfer data between related processes. However, adversaries frequently abuse\
-  \ anonymous pipes to facilitate stealthy process injection, command-and-control\
-  \ (C2) communication, credential theft, or privilege escalation. This detection\
-  \ monitors for unusual anonymous pipe activity, particularly involving non-system\
-  \ processes, unsigned executables, or unexpected parent-child process relationships.\
-  \ While legitimate use cases exist\u2014such as Windows services, software installers,\
-  \ or security tools\u2014unusual or high-frequency anonymous pipe activity should\
-  \ be investigated for potential malware, persistence mechanisms, or lateral movement\
-  \ techniques."
+description: "The following analytic detects the creation or connection of anonymous
+  pipes for inter-process communication (IPC) within a Windows environment. Anonymous
+  pipes are commonly used by legitimate system processes, services, and applications
+  to transfer data between related processes. However, adversaries frequently abuse
+  anonymous pipes to facilitate stealthy process injection, command-and-control (C2)
+  communication, credential theft, or privilege escalation. This detection monitors
+  for unusual anonymous pipe activity, particularly involving non-system processes,
+  unsigned executables, or unexpected parent-child process relationships. While legitimate
+  use cases exist—such as Windows services, software installers, or security tools—unusual
+  or high-frequency anonymous pipe activity should be investigated for potential malware,
+  persistence mechanisms, or lateral movement techniques."
 data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
 search: '`sysmon` EventCode IN (17,18) EventType IN ( "CreatePipe", "ConnectPipe")
-  PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*")) | stats  min(_time)
-  as firstTime max(_time) as lastTime count by dest EventCode PipeName ProcessGuid
-  ProcessId Image EventType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `windows_anonymous_pipe_activity_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
-  logs with the process name and pipename from your endpoints. If you are using Sysmon,
-  you must have at least version 6.0.4 of the Sysmon TA. .
-known_false_positives: Automation tool might use anonymous pipe for task orchestration
-  or process communication.
+  PipeName="*Anonymous Pipe*" NOT( Image IN ("C:\\Program Files*", "C:\\Windows\\system32\\*","C:\\Windows\\syswow64\\*"))
+  | stats  min(_time) as firstTime max(_time) as lastTime count by dest EventCode
+  PipeName ProcessGuid ProcessId Image EventType | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_anonymous_pipe_activity_filter`'
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting logs with the process name and pipename from your endpoints. If you 
+  are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. .
+known_false_positives: Automation tool might use anonymous pipe for task 
+  orchestration or process communication.
 references:
 - https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html
 drilldown_searches:
@@ -52,6 +51,7 @@ tags:
   - China-Nexus Threat Activity
   - SnappyBee
   - Interlock Rat
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1559
@@ -63,6 +63,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log
     sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     source: XmlWinEventLog

detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml

@@ -0,0 +1,78 @@
+name: Windows Browser Process Launched with Unusual Flags
+id: 841e2abc-0442-4e7f-b445-b22680632a08
+version: 1
+date: '2025-10-31'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes 
+  where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND 
+        NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND
+        Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND
+        Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*")
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: It is possible false positives will be present based on third
+  party applications. Filtering may be needed.
+references:
+- https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
+- https://peter.sh/experiments/chromium-command-line-switches/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest="$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: chromium browser that has unusual flags for muting or audio and prevent de-elevation of the current process in $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 15
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+tags:
+  analytic_story:
+  - Castle RAT
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1185
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/browser_unusual_flag/castle_chrome_shell32.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog