/
suspicious_process_with_discord_dns_query.yml
67 lines (67 loc) · 2.54 KB
/
suspicious_process_with_discord_dns_query.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Suspicious Process With Discord DNS Query
id: 4d4332ae-792c-11ec-89c1-acde48001122
version: 2
date: '2023-04-14'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Anomaly
description: This analytic identifies a process making a DNS query to Discord, a well
known instant messaging and digital distribution platform. Discord can be abused
by adversaries, as seen in the WhisperGate campaign, to host and download malicious.
external files. A process resolving a Discord DNS name could be an indicator of
malware trying to download files from Discord for further execution.
data_source:
- Sysmon EventID 22
search: '`sysmon` EventCode=22 QueryName IN ("*discord*") Image != "*\\AppData\\Local\\Discord\\*"
AND Image != "*\\Program Files*" AND Image != "discord.exe" | stats count min(_time)
as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name
QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `suspicious_process_with_discord_dns_query_filter`'
how_to_implement: his detection relies on sysmon logs with the Event ID 22, DNS Query.
known_false_positives: Noise and false positive can be seen if the following instant
messaging is allowed to use within corporate network. In this case, a filter is
needed.
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
tags:
analytic_story:
- Data Destruction
- WhisperGate
asset_type: Endpoint
confidence: 80
impact: 80
message: suspicious process $process_name$ has a dns query in $QueryName$ on $dest$
mitre_attack_id:
- T1059.005
- T1059
observable:
- name: dest
type: Hostname
role:
- Victim
- name: process_name
type: Process Name
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Image
- QueryName
- QueryStatus
- process_name
- QueryResults
- dest
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog