diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index e0935a8c17..303068e816 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: 9 -date: '2025-05-02' +version: '10' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -68,14 +68,15 @@ rba: threat_objects: [] tags: analytic_story: - - CISA AA22-320A + - Compromised Windows Host - AgentTesla - - Remcos - Data Destruction - - Compromised Windows Host + - Remcos + - CISA AA22-320A - ValleyRAT - - Windows Defense Evasion Tactics + - XWorm - WhisperGate + - Windows Defense Evasion Tactics - Crypto Stealer asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 5752521731..0696a658c8 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,7 +1,7 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 14 -date: '2025-05-02' +version: '15' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: TTP @@ -74,19 +74,20 @@ rba: type: process_name tags: analytic_story: - - Data Destruction + - Log4Shell CVE-2021-44228 + - Phemedrone Stealer - Malicious PowerShell + - PXA Stealer - China-Nexus Threat Activity + - Data Destruction + - Braodo Stealer + - PHP-CGI RCE Attack on Japanese Organizations - Hermetic Wiper - - DarkCrystal RAT - - Phemedrone Stealer - - PXA Stealer - - Log4Shell CVE-2021-44228 + - Ingress Tool Transfer - Salt Typhoon - - Braodo Stealer + - XWorm + - DarkCrystal RAT - Crypto Stealer - - Ingress Tool Transfer - - PHP-CGI RCE Attack on Japanese Organizations asset_type: Endpoint cve: - CVE-2021-44228 diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 8828d08cb2..48464928ef 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -1,7 +1,7 @@ name: Any Powershell DownloadString id: 4d015ef2-7adf-11eb-95da-acde48001122 -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: TTP @@ -76,15 +76,16 @@ rba: tags: analytic_story: - Winter Vivern - - Ingress Tool Transfer - - Hermetic Wiper + - Phemedrone Stealer - Malicious PowerShell - - HAFNIUM Group - Data Destruction - - IcedID - SysAid On-Prem Software CVE-2023-47246 Vulnerability - - Phemedrone Stealer - PHP-CGI RCE Attack on Japanese Organizations + - Hermetic Wiper + - IcedID + - Ingress Tool Transfer + - HAFNIUM Group + - XWorm asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 1dea4aac99..2ef56465fb 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-05-06' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -17,8 +17,8 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="* - /c*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process IN ("*/c*", "*/k*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 2e81be7922..89cedd60ca 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 16 -date: '2025-05-02' +version: '17' +date: '2025-05-06' author: Bhavin Patel, Michael Haag, Splunk status: production type: TTP @@ -75,10 +75,11 @@ rba: type: process_name tags: analytic_story: + - Compromised Windows Host - Gozi Malware - - Suspicious MSHTA Activity - Living Off The Land - - Compromised Windows Host + - Suspicious MSHTA Activity + - XWorm asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index ac216b3b21..59148304f6 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: 12 -date: '2025-05-02' +version: '13' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: TTP @@ -75,10 +75,11 @@ rba: type: process_name tags: analytic_story: - - Suspicious MSHTA Activity + - Compromised Windows Host - Lumma Stealer - Living Off The Land - - Compromised Windows Host + - Suspicious MSHTA Activity + - XWorm asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 976351b907..54418ceef5 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 15 -date: '2025-05-02' +version: 16 +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -18,10 +18,10 @@ data_source: search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", - "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*", + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", - "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*") + "*\\Windows\\repair\\*", "*\\PerfLogs\\*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 0ce158c9c8..86e4d79b82 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 13 -date: '2025-05-02' +version: 14 +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -18,7 +18,7 @@ data_source: search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", - "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index a3168c717f..9d6f649a51 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 13 -date: '2025-05-02' +version: '14' +date: '2025-05-06' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: Anomaly @@ -21,14 +21,13 @@ search: '| tstats `security_content_summariesonly` values(Processes.process_id) process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" AND Processes.process="* - bypass *") - by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash - Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`' + bypass *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `malicious_powershell_process___execution_policy_bypass_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -66,13 +65,14 @@ rba: threat_objects: [] tags: analytic_story: + - DHS Report TA18-074A + - Volt Typhoon - China-Nexus Threat Activity - AsyncRAT - - DarkCrystal RAT - - Volt Typhoon - - Salt Typhoon - HAFNIUM Group - - DHS Report TA18-074A + - Salt Typhoon + - XWorm + - DarkCrystal RAT asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 41d3966331..7aaadbd0cd 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,12 +1,11 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 16 -date: '2025-05-02' +version: '17' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: Hunting -description: - The following analytic identifies suspicious PowerShell execution using +description: The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers @@ -15,9 +14,8 @@ description: execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security. data_source: - - Powershell Script Block Logging 4104 -search: - '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), +- Powershell Script Block Logging 4104 +search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0) @@ -45,52 +43,52 @@ search: compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer as dest, UserID as user | `powershell_4104_hunting_filter`' -how_to_implement: - The following Hunting analytic requires PowerShell operational logs +how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives: Limited false positives. May filter as needed. references: - - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md - - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell - - https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt - - https://devblogs.microsoft.com/powershell/powershell-the-blue-team/ - - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1 - - https://www.mandiant.com/resources/greater-visibilityt - - https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/ - - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html - - https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/ +- https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md +- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell +- https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt +- https://devblogs.microsoft.com/powershell/powershell-the-blue-team/ +- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1 +- https://www.mandiant.com/resources/greater-visibilityt +- https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/ +- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html +- https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/ tags: analytic_story: - - Braodo Stealer - - Cactus Ransomware - - China-Nexus Threat Activity - - CISA AA23-347A - - CISA AA24-241A - - Cleo File Transfer Software - - DarkGate Malware - - Data Destruction - - Flax Typhoon - - Hermetic Wiper - - Lumma Stealer - - Malicious PowerShell - - Medusa Ransomware - - Rhysida Ransomware - - Salt Typhoon - - SystemBC - - PHP-CGI RCE Attack on Japanese Organizations - - Water Gamayun + - CISA AA23-347A + - China-Nexus Threat Activity + - Data Destruction + - PHP-CGI RCE Attack on Japanese Organizations + - Hermetic Wiper + - Medusa Ransomware + - Braodo Stealer + - Cleo File Transfer Software + - Lumma Stealer + - Salt Typhoon + - Cactus Ransomware + - Malicious PowerShell + - Water Gamayun + - XWorm + - Flax Typhoon + - CISA AA24-241A + - Rhysida Ransomware + - SystemBC + - DarkGate Malware asset_type: Endpoint mitre_attack_id: - - T1059.001 + - T1059.001 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index e92ecc3068..b957bfedf6 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 9 -date: '2025-05-02' +version: '10' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: TTP @@ -52,14 +52,15 @@ rba: threat_objects: [] tags: analytic_story: - - AsyncRAT - - NjRAT - - Data Destruction + - Winter Vivern + - Malicious PowerShell - Medusa Ransomware + - Data Destruction + - NjRAT + - AsyncRAT - Hermetic Wiper - IcedID - - Winter Vivern - - Malicious PowerShell + - XWorm mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 0108f57425..0cd21df303 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,8 +1,8 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 10 -date: '2025-05-02' -author: Michael Haag, Splunk +version: 11 +date: '2025-05-06' +author: Michael Haag, Teoderick Contreras Splunk status: production type: Anomaly data_source: @@ -15,12 +15,16 @@ description: The following analytic detects the use of PowerShell scripts to loa to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment. -search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", +search: | + `powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]::Load*", "*Reflection.Assembly.Load*", "*UnsafeLoadFrom*", "*.LoadFrom(*", "*.LoadModule(*", - "*.LoadWithPartialName*", "*ReflectionOnlyLoad*") | fillnull | stats count min(_time) - as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product - EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `powershell_loading_dotnet_into_memory_via_reflection_filter`' + "*.LoadWithPartialName*", "*ReflectionOnlyLoad*", "*Reflection.Assembly]::('daoL'[-1..-4] -join '')*") + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `powershell_loading_dotnet_into_memory_via_reflection_filter` how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index ef03410d12..d01d747e94 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,7 +1,7 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 10 -date: '2025-05-02' +version: '11' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -59,15 +59,16 @@ rba: threat_objects: [] tags: analytic_story: - - AsyncRAT - - Data Destruction - - MoonPeak + - Malicious PowerShell - Medusa Ransomware - PXA Stealer + - Data Destruction - Braodo Stealer + - AsyncRAT - Hermetic Wiper - IcedID - - Malicious PowerShell + - XWorm + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index e6e440ca38..ec5512d2bb 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,7 +1,7 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 8 -date: '2025-05-02' +version: '9' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -58,14 +58,15 @@ rba: threat_objects: [] tags: analytic_story: - - Qakbot - - Windows Post-Exploitation - - Hermetic Wiper - - Ransomware - - Prestige Ransomware - Malicious PowerShell - Data Destruction + - Prestige Ransomware + - Hermetic Wiper + - Ransomware + - Qakbot - MoonPeak + - XWorm + - Windows Post-Exploitation asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 92fe23d00e..f1ff8be9f2 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 21 -date: '2025-05-02' +version: '22' +date: '2025-05-06' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -78,39 +78,40 @@ rba: threat_objects: [] tags: analytic_story: - - Amadey - - AsyncRAT - - Azorult - - BlackByte Ransomware - - BlackSuit Ransomware - - Braodo Stealer - - Cactus Ransomware + - DHS Report TA18-074A + - CISA AA23-347A - Chaos Ransomware - China-Nexus Threat Activity - - CISA AA23-347A - - DarkGate Malware - - Derusbi - - DHS Report TA18-074A - - Emotet Malware DHS Report TA18-201A - IcedID - - MoonPeak - - NjRAT - - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns + - BlackByte Ransomware - Qakbot - - Ransomware + - MoonPeak + - Warzone RAT + - Windows Registry Abuse + - Braodo Stealer + - Derusbi + - AsyncRAT - RedLine Stealer - - Remcos + - Suspicious MSHTA Activity - Salt Typhoon + - Cactus Ransomware + - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns + - Windows Persistence Techniques + - WinDealer RAT + - Amadey + - Suspicious Windows Registry Activities + - NjRAT + - Sneaky Active Directory Persistence Tricks + - BlackSuit Ransomware + - Ransomware + - XWorm - SnappyBee + - Azorult + - Emotet Malware DHS Report TA18-201A - Snake Keylogger - - Sneaky Active Directory Persistence Tricks - - Suspicious MSHTA Activity - - Suspicious Windows Registry Activities + - Remcos - SystemBC - - Warzone RAT - - Windows Persistence Techniques - - Windows Registry Abuse - - WinDealer RAT + - DarkGate Malware asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index e60bc93e9b..59e1a41875 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 16 -date: '2025-05-02' +version: '17' +date: '2025-05-06' author: Bhavin Patel, Splunk status: production type: TTP @@ -71,33 +71,34 @@ rba: threat_objects: [] tags: analytic_story: - - AgentTesla - - Amadey - - AsyncRAT - - Azorult - - China-Nexus Threat Activity - - CISA AA22-257A - - CISA AA23-347A - - CISA AA24-241A - - DarkCrystal RAT - DHS Report TA18-074A - - Living Off The Land - - Medusa Ransomware - - MoonPeak - - NjRAT - - NOBELIUM Group - Phemedrone Stealer + - CISA AA23-347A + - China-Nexus Threat Activity + - MoonPeak + - ShrinkLocker + - Medusa Ransomware - Prestige Ransomware - - Qakbot + - AsyncRAT + - Sandworm Tools - RedLine Stealer - - Rhysida Ransomware + - Living Off The Land - Salt Typhoon - - Sandworm Tools - - Scheduled Tasks - - ShrinkLocker - - Trickbot - Windows Persistence Techniques + - Amadey - Winter Vivern + - AgentTesla + - NjRAT + - XWorm + - DarkCrystal RAT + - Azorult + - CISA AA24-241A + - NOBELIUM Group + - CISA AA22-257A + - Scheduled Tasks + - Rhysida Ransomware + - Qakbot + - Trickbot asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index 76f2a91622..bb4cc8b062 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,8 +1,8 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 9 -date: '2025-05-02' -author: Michael Haag, Splunk +version: 10 +date: '2025-05-06' +author: Michael Haag, Teoderick Contreras Splunk status: production type: TTP description: The following analytic identifies child processes spawned from "mshta.exe". @@ -19,11 +19,9 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe - AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe - OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe - OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe - OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe - OR Processes.process_name=cmd.exe) by Processes.action Processes.dest Processes.original_file_name + AND Processes.process_name IN ("powershell.exe","colorcpl.exe", "msbuild.exe", "microsoft.workflow.compiler.exe", + "searchprotocolhost.exe", "scrcons.exe", "cscript.exe", "wscript.exe", "powershell.exe", "cmd.exe", "bitsadmin.exe") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index b420cea0bc..5f894c09cb 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: Anomaly @@ -69,20 +69,21 @@ rba: threat_objects: [] tags: analytic_story: - - Azorult - - China-Nexus Threat Activity - - CISA AA23-347A - CISA AA24-241A - - Crypto Stealer - - DarkCrystal RAT - - Living Off The Land + - CISA AA23-347A - Medusa Ransomware - - MoonPeak - - Ransomware - - Ryuk Ransomware - - Salt Typhoon + - China-Nexus Threat Activity - Scheduled Tasks - Windows Persistence Techniques + - Living Off The Land + - Ryuk Ransomware + - Salt Typhoon + - Ransomware + - DarkCrystal RAT + - Azorult + - MoonPeak + - XWorm + - Crypto Stealer asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 2377901896..3d24ced584 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,7 +1,7 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,11 +55,12 @@ rba: threat_objects: [] tags: analytic_story: + - Chaos Ransomware + - Gozi Malware - NjRAT - RedLine Stealer - - Gozi Malware + - XWorm - Crypto Stealer - - Chaos Ransomware asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 52f177e87f..6e8d206eea 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -21,10 +21,9 @@ data_source: search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("ipconfig.exe", - "systeminfo.exe", "net1.exe", "arp.exe", "nslookup.exe", "route.exe", "netstat.exe", - "whoami.exe") AND NOT Processes.parent_process_name IN ("cmd.exe", "powershell.exe", - "powershell_ise.exe", "pwsh.exe", "explorer.exe", "-", "unknown") by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec + "systeminfo.exe", "net1.exe", "arp.exe", "nslookup.exe", "route.exe", "netstat.exe", "hostname.exe", "whoami.exe") + AND NOT Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "explorer.exe", "-", "unknown") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 23adda5993..40599d131e 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -58,12 +58,13 @@ rba: threat_objects: [] tags: analytic_story: + - Qakbot - Remcos - - Windows Defense Evasion Tactics + - ValleyRAT + - XWorm - Azorult - - Qakbot - Warzone RAT - - ValleyRAT + - Windows Defense Evasion Tactics asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 1971a24abe..0ed9f1d23c 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,7 +1,7 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ rba: tags: analytic_story: - Brute Ratel C4 + - XWorm asset_type: Endpoint mitre_attack_id: - T1574.001 diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index 75eab98c9f..c1d0f1a792 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -1,7 +1,7 @@ name: Windows MSHTA Writing to World Writable Path id: efbcf8ee-bc75-47f1-8985-a5c638c4faf0 -version: 6 -date: '2025-05-02' +version: '7' +date: '2025-05-06' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 @@ -69,6 +69,7 @@ tags: analytic_story: - APT29 Diplomatic Deceptions with WINELOADER - Suspicious MSHTA Activity + - XWorm group: - APT29 - Cozy Bear diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index 181f33ed0e..45d3d74c9b 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,7 +1,7 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 8 -date: '2025-05-02' +version: '9' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ rba: tags: analytic_story: - AsyncRAT + - XWorm asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index 200a1a5975..d2597749ce 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: 3 -date: '2025-05-02' +version: '4' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -67,9 +67,10 @@ rba: type: parent_process_name tags: analytic_story: + - SnappyBee + - XWorm - Salt Typhoon - China-Nexus Threat Activity - - SnappyBee asset_type: Endpoint mitre_attack_id: - T1036.005 diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 7b7fa7335b..5019a7fe9a 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 3 -date: '2025-05-02' +version: '4' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -69,13 +69,14 @@ rba: type: process_name tags: analytic_story: - - Ryuk Ransomware - - Trickbot - - Qakbot - AgentTesla - - Remcos + - XWorm - NjRAT + - Remcos + - Ryuk Ransomware - Ransomware + - Qakbot + - Trickbot asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_renamed_powershell_execution.yml b/detections/endpoint/windows_renamed_powershell_execution.yml new file mode 100644 index 0000000000..7bc2863fab --- /dev/null +++ b/detections/endpoint/windows_renamed_powershell_execution.yml @@ -0,0 +1,72 @@ +name: Windows Renamed Powershell Execution +id: c08014de-cc5a-42de-9775-76ecd5b37bbd +version: 1 +date: '2025-05-07' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments. +data_source: +- Sysmon EventID 1 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=powershell.exe AND Processes.process_name!=pwsh.exe + AND Processes.original_file_name=powershell.EXE by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_renamed_powershell_execution_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: powershell was renamed as $process_name$ on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - XWorm + asset_type: Endpoint + mitre_attack_id: + - T1036.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index d009f870bd..1de85f1bbf 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,11 +15,9 @@ description: The following analytic detects the creation or dropping of executab data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe - OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name - = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name - = *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name - = *.pif) by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time + as lastTime from datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.url") + by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index e59a403a80..23e484a116 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 8 -date: '2025-05-02' +version: '9' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -65,11 +65,12 @@ rba: threat_objects: [] tags: analytic_story: - - AsyncRAT - - CISA AA23-347A - Compromised Windows Host + - CISA AA23-347A + - AsyncRAT - Scheduled Tasks - RedLine Stealer + - XWorm asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 2aafc6e0af..4f8580ae30 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,12 +1,11 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP -description: - The following analytic identifies processes running from file paths not +description: The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional @@ -15,11 +14,10 @@ description: controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment. data_source: - - Sysmon EventID 1 - - Windows Event Log Security 4688 - - CrowdStrike ProcessRollup2 -search: - '| tstats `security_content_summariesonly` count values(Processes.process_name) +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path IN("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", @@ -33,8 +31,7 @@ search: Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspicious_process_file_path_filter`' -how_to_implement: - The detection is based on data that originates from Endpoint Detection +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. @@ -43,95 +40,93 @@ how_to_implement: the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: - Administrators may allow execution of specific binaries in +known_false_positives: Administrators may allow execution of specific binaries in non-standard paths. Filter as needed. references: - - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - - https://twitter.com/pr0xylife/status/1590394227758104576 - - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat - - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ +- https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ +- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ +- https://twitter.com/pr0xylife/status/1590394227758104576 +- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: - Suspicious process $process_name$ running from a suspicious process path- + message: Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$ risk_objects: - - field: dest - type: system - score: 60 + - field: dest + type: system + score: 60 threat_objects: - - field: process_path - type: process_name + - field: process_path + type: process_name tags: analytic_story: - - SystemBC - - China-Nexus Threat Activity - - Remcos - - LockBit Ransomware - - AsyncRAT - - DarkCrystal RAT - - DarkGate Malware - - ValleyRAT - - PlugX - - Data Destruction - - Qakbot - - CISA AA23-347A - - Hermetic Wiper - - Volt Typhoon - - Double Zero Destructor - - AgentTesla - - Trickbot - - Meduza Stealer - - Phemedrone Stealer - - SnappyBee - - Azorult - - WhisperGate - - Warzone RAT - - Swift Slicer - - Rhysida Ransomware - - Brute Ratel C4 - - Prestige Ransomware - - BlackByte Ransomware - - Graceful Wipe Out Attack - - Chaos Ransomware - - Handala Wiper - - RedLine Stealer - - Salt Typhoon - - XMRig - - MoonPeak - - Industroyer2 - - Amadey - - IcedID - - Earth Alux - - Water Gamayun + - Meduza Stealer + - Phemedrone Stealer + - CISA AA23-347A + - China-Nexus Threat Activity + - Data Destruction + - Chaos Ransomware + - Handala Wiper + - Hermetic Wiper + - IcedID + - Swift Slicer + - PlugX + - BlackByte Ransomware + - Warzone RAT + - MoonPeak + - DarkGate Malware + - Prestige Ransomware + - AsyncRAT + - Double Zero Destructor + - RedLine Stealer + - Salt Typhoon + - Amadey + - AgentTesla + - Graceful Wipe Out Attack + - Water Gamayun + - ValleyRAT + - Earth Alux + - XWorm + - SnappyBee + - WhisperGate + - DarkCrystal RAT + - Azorult + - Brute Ratel C4 + - Industroyer2 + - Volt Typhoon + - Rhysida Ransomware + - LockBit Ransomware + - Remcos + - XMRig + - SystemBC + - Qakbot + - Trickbot asset_type: Endpoint mitre_attack_id: - - T1543 - - T1036.005 + - T1543 + - T1036.005 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index 00fd3e0083..b1400eb21c 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -1,7 +1,7 @@ name: Windows System LogOff Commandline id: 74a8133f-93e7-4b71-9bd3-13a66124fd57 -version: 6 -date: '2025-05-02' +version: '7' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,8 +65,9 @@ rba: threat_objects: [] tags: analytic_story: - - DarkCrystal RAT - NjRAT + - DarkCrystal RAT + - XWorm asset_type: Endpoint mitre_attack_id: - T1529 diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 310e64e50f..1ba3ae54c2 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 6 -date: '2025-05-02' +version: '7' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,8 +65,9 @@ rba: threat_objects: [] tags: analytic_story: - - DarkCrystal RAT - NjRAT + - XWorm + - DarkCrystal RAT - DarkGate Malware - MoonPeak asset_type: Endpoint diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 419704dc69..d23d2e830a 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -64,9 +64,10 @@ rba: threat_objects: [] tags: analytic_story: - - DarkCrystal RAT - Sandworm Tools - NjRAT + - XWorm + - DarkCrystal RAT - DarkGate Malware - MoonPeak asset_type: Endpoint diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 6ce3d279a2..16e048f377 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -20,11 +20,10 @@ search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image I NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded "(?.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath - | stats count min(_time) as firstTime max(_time) as lastTime - by Image ImageLoaded dest loaded_file loaded_file_path - process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists - service_dll_signature_verified signature signature_id user_id vendor_product - | `security_content_ctime(firstTime)` + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded + dest loaded_file loaded_file_path process_exec process_guid process_hash process_id + process_name process_path service_dll_signature_exists service_dll_signature_verified + signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -56,12 +55,13 @@ rba: threat_objects: [] tags: analytic_story: - - PlugX + - DarkGate Malware - China-Nexus Threat Activity - - SnappyBee - Derusbi - Salt Typhoon - - DarkGate Malware + - XWorm + - PlugX + - SnappyBee asset_type: Endpoint mitre_attack_id: - T1574.001 diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index 7878c8e6b4..e7dd2cecc4 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,14 +1,13 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-06' author: Teoderick Contreras, Splunk data_source: - - Sysmon EventID 7 +- Sysmon EventID 7 type: Anomaly status: production -description: - The following analytic identifies potential DLL side-loading instances +description: The following analytic identifies potential DLL side-loading instances involving unsigned DLLs mimicking Microsoft signatures. It detects this activity by analyzing Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories like `system32`, `syswow64`, and `programfiles`. @@ -16,8 +15,7 @@ description: malicious code via legitimate processes. If confirmed malicious, this activity could allow attackers to execute arbitrary code, potentially leading to privilege escalation, persistence, and unauthorized access to sensitive information. -search: - '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus +search: '`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) | rex field=Image "(?.+\\\)" | rex field=ImageLoaded @@ -27,71 +25,69 @@ search: process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`' -how_to_implement: - The analytic is designed to be run against Sysmon event logs collected +how_to_implement: The analytic is designed to be run against Sysmon event logs collected from endpoints. The analytic requires the Sysmon event logs to be ingested into Splunk. The analytic searches for EventCode 7 where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. The search also filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives. The analytic can be modified to include additional known good paths for vcruntime140.dll to further reduce false positives. -known_false_positives: - False positives are possible if legitimate processes are loading +known_false_positives: False positives are possible if legitimate processes are loading vcruntime140.dll from non-standard directories. It is recommended to investigate the context of the process loading vcruntime140.dll to determine if it is malicious or not. Modify the search to include additional known good paths for vcruntime140.dll to reduce false positives. references: - - https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties - - https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader +- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties +- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$. risk_objects: - - field: dest - type: system - score: 9 + - field: dest + type: system + score: 9 threat_objects: - - field: Image - type: file_name + - field: Image + type: file_name tags: analytic_story: - - China-Nexus Threat Activity - - Derusbi - - Salt Typhoon - - APT29 Diplomatic Deceptions with WINELOADER - - Earth Alux + - China-Nexus Threat Activity + - Derusbi + - APT29 Diplomatic Deceptions with WINELOADER + - Salt Typhoon + - Earth Alux + - XWorm group: - - APT29 - - Cozy Bear - - Midnight Blizzard + - APT29 + - Cozy Bear + - Midnight Blizzard asset_type: Endpoint mitre_attack_id: - - T1574.001 - - T1547 + - T1574.001 + - T1547 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint cve: [] tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_load//wineloader_dll_sideload.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 26490c4440..5a7df8bf54 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,25 +1,29 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-06' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly -description: The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware. - It leverages the Endpoint.Filesystem datamodel to identify ".url" files created outside common directories, such as "Program Files". - This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss. +description: The following analytic detects the creation URL shortcut files, often + used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel + to identify ".url" files created outside common directories, such as "Program Files". + This activity can be significant as ".URL" files can be used as mean to trick the + user into visiting certain websites unknowingly, or when placed in certain locations + such as "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\", + it may allow the execution of malicious code upon system reboot. If confirmed malicious, + this could allow an attacker to achieve persistence and execute harmful payloads, + potentially leading to further system compromise and data loss. data_source: - Sysmon EventID 11 search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT Filesystem.file_path IN - ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url - by Filesystem.action Filesystem.dest + ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", + "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size - Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product - | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product + | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from @@ -55,9 +59,10 @@ rba: threat_objects: [] tags: analytic_story: - - Chaos Ransomware + - XWorm - NjRAT - Snake Keylogger + - Chaos Ransomware asset_type: Endpoint mitre_attack_id: - T1204.002 diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 9b24d5c673..78b5c0bf1b 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 14 -date: '2025-05-02' +version: '15' +date: '2025-05-06' author: Michael Haag, Splunk status: production type: TTP @@ -54,24 +54,25 @@ rba: threat_objects: [] tags: analytic_story: - - Active Directory Lateral Movement - - AsyncRAT - - China-Nexus Threat Activity - - CISA AA22-257A - - CISA AA23-347A - Compromised Windows Host + - CISA AA23-347A + - China-Nexus Threat Activity - Data Destruction - IcedID - - Industroyer2 - Medusa Ransomware - Prestige Ransomware - - Ransomware - - Ryuk Ransomware + - AsyncRAT - Salt Typhoon - - Scheduled Tasks - - SystemBC - Windows Persistence Techniques - Winter Vivern + - Ransomware + - XWorm + - Industroyer2 + - Active Directory Lateral Movement + - CISA AA22-257A + - Scheduled Tasks + - Ryuk Ransomware + - SystemBC asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index bb7cbcdb1d..86056c6065 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,7 +1,7 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 8 -date: '2025-05-02' +version: '9' +date: '2025-05-06' author: Teoderick Contreras, Splunk status: production type: TTP @@ -65,12 +65,13 @@ rba: threat_objects: [] tags: analytic_story: - - Remcos - - FIN7 - - Unusual Processes - Data Destruction - - WhisperGate + - FIN7 - NjRAT + - Remcos + - XWorm + - WhisperGate + - Unusual Processes - ShrinkLocker asset_type: Endpoint mitre_attack_id: diff --git a/stories/xworm.yml b/stories/xworm.yml new file mode 100644 index 0000000000..d25c2dc8d2 --- /dev/null +++ b/stories/xworm.yml @@ -0,0 +1,20 @@ +name: XWorm +id: aa6ce371-0cfa-4984-81d6-553e8cc2b709 +version: 1 +date: '2025-05-06' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the presence of the XWorm remote access trojan (RAT). XWorm is a sophisticated and stealthy malware variant often used in data theft operations. Its capabilities include keylogging, screen capturing, remote desktop control, and data exfiltration, all of which can operate undetected. By utilizing advanced search queries and behavioral analytics, you can uncover anomalies such as unauthorized remote connections, unusual process behavior, or unexpected outbound traffic patterns. These indicators often signal the early stages of compromise, enabling rapid response before significant damage occurs. Implementing detection rules and correlating threat intelligence with system logs further enhances your ability to pinpoint XWorm activity. +narrative: XWorm emerged on the cybercrime scene around 2022 as a commercial Remote Access Trojan (RAT) advertised on underground forums. Originally marketed as a cheap but effective alternative to more established RATs, it quickly gained popularity due to its rich feature set, modular design, and ease of use. Over time, the developers behind XWorm have continuously updated the malware to bypass detection and expand its capabilities, making it a favorite among low- to mid-tier threat actors and ransomware affiliates. XWorm is capable of full remote desktop access, keylogging, clipboard monitoring, webcam hijacking, file theft, and command execution. It also includes features for persistence, anti-analysis, and sandbox evasion. Often delivered through phishing emails or maldocs, it can be used both for espionage and as a precursor to ransomware deployment. Its adaptability and low cost have ensured its continued presence in the threat landscape. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm +- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/ +- https://sarviyamalwareanalyst.medium.com/xworm-attack-chain-leveraging-steganography-from-phishing-email-to-keylogging-via-c2-communication-f3a4c91dfd06 +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file