-
Notifications
You must be signed in to change notification settings - Fork 339
/
revil_registry_entry.yml
97 lines (97 loc) · 4.37 KB
/
revil_registry_entry.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Revil Registry Entry
id: e3d3f57a-c381-11eb-9e35-acde48001122
version: 4
date: '2024-05-24'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic identifies suspicious modifications in the registry
entry, specifically targeting paths used by malware like REVIL. It detects changes
in registry paths such as `SOFTWARE\\WOW6432Node\\Facebook_Assistant` and `SOFTWARE\\WOW6432Node\\BlackLivesMatter`.
This detection leverages data from Endpoint Detection and Response (EDR) agents,
focusing on registry modifications linked to process GUIDs. This activity is significant
as it indicates potential malware persistence mechanisms, often used by advanced
persistent threats (APTs) and ransomware. If confirmed malicious, this could allow
attackers to maintain persistence, encrypt files, and store critical ransomware-related
information on compromised hosts.
data_source:
- Sysmon EventID 1
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)`
| join process_guid [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\Facebook_Assistant\\*"
OR Registry.registry_path="*\\SOFTWARE\\WOW6432Node\\BlackLivesMatter*") BY _time
span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`]
| fields firstTime lastTime dest user parent_process_name parent_process process_name
process_path process registry_key_name registry_path registry_value_name registry_value_data
process_guid | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `revil_registry_entry_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: unknown
references:
- https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
tags:
analytic_story:
- Ransomware
- Revil Ransomware
- Windows Registry Abuse
asset_type: Endpoint
confidence: 100
impact: 60
message: A registry entry $registry_path$ with registry value $registry_value_name$
and $registry_value_name$ related to revil ransomware in host $dest$
mitre_attack_id:
- T1112
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.user
- Processes.dest
- Processes.process_id
- Processes.process_name
- Processes.process
- Processes.process_path
- Processes.parent_process_name
- Processes.parent_process
- Processes.process_guid
- Registry.dest
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.registry_path
- Registry.registry_value_data
- Registry.process_guid
risk_score: 60
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/revil/inf1/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog