Merge pull request #2418 from redcanaryco/snake-malware

Snake Malware Atomic Tests

atomics/T1027/T1027.yaml

@@ -202,3 +202,16 @@ atomic_tests:
       2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.
 
     name: manual
+- name: Snake Malware Encrypted crmlog file
+  description: |
+    The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver.
+    [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)  
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
+    cleanup_command: |
+      $fileNameToDelete = '04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'; $filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path $filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) { Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete" } else { Write-Host "File not found: $fullPathToDelete" }
+    name: powershell
+    elevation_required: true

atomics/T1112/T1112.yaml

@@ -858,3 +858,16 @@ atomic_tests:
       reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5
     name: command_prompt
     elevation_required: true
+- name: Snake Malware Registry Blob
+  description: |
+    The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
+    registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
+    cleanup_command: |
+      $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
+    name: powershell
+    elevation_required: true

atomics/T1547.006/T1547.006.yaml

@@ -106,3 +106,18 @@ atomic_tests:
     elevation_required: true
     cleanup_command: |
       rm -f #{exe_path}
+- name: Snake Malware Kernel Driver Comadmin
+  description: |
+    The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake's installer drops the kernel driver and a custom DLL which is used to load the driver into a
+    single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory. 
+    This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat.
+    [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)  
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
+    cleanup_command: |
+      $examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
+    name: powershell
+    elevation_required: true

atomics/T1569.002/T1569.002.yaml

@@ -71,8 +71,6 @@ atomic_tests:
     command: |
       #{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
     name: command_prompt
-
-
 - name: psexec.py (Impacket)
   auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35
   description: |
@@ -178,3 +176,18 @@ atomic_tests:
     command: |
       "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
     name: command_prompt
+- name: Snake Malware Service Create
+  description: |
+    The following Atomic Test will create a new service named WerFaultSvc with a binary path of WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe.
+    This was recently seen in the Snake Malware report. 
+    Upon execution, sc.exe will create a new service named WerFaultSvc with a bin path \WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe and a display name of WerFault Service.
+    [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)  
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto
+    cleanup_command: |
+      sc.exe delete "WerFaultSvc"
+    name: command_prompt
+    elevation_required: true