/
windows_remote_access_software_brc4_loaded_dll.yml
83 lines (83 loc) · 4.03 KB
/
windows_remote_access_software_brc4_loaded_dll.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Windows Remote Access Software BRC4 Loaded Dll
id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05
version: 1
date: '2022-08-24'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following anomaly detection identifies the behavior related to 4
native Windows DLLs being loaded by a non-standard process. Identified by MDSec
during their research into Brute Ratel, MDSec identified a high signal analytic
by calling out these 4 DLLs being loaded into a process. LogonCLI.dll is the Net
Logon Client DLL and is related to users and other domain services to get authenticated.
Credui.dll is Credential Manager User Interface. Credential managers receive notifications
when authentication information changes. For example, credential managers are notified
when a user logs on or an account password changes. Samcli.dll is the Security Accounts
Manager Client DLL. Adversaries may attempt to extract credential material from
the Security Account Manager (SAM) database either through in-memory techniques
or through the Windows Registry where the SAM database is stored. Dbghelp.dll is
Windows Image Helper. Windows Image Helper is commonly seen in credential dumping
due to native functions. All of these modules are important to monitor and track
and combined may lead to credentail access or dumping.
data_source:
- Sysmon EventID 7
search: '`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll",
1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll",
1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded,
"dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"),
1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded)
as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount
by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount
== 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`'
how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709
will add the ImageLoaded name to the process_name field, allowing this query to
work. Use as an example and implement for other products.
known_false_positives: This module can be loaded by a third party application. Filter
is needed.
references:
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
- https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html
- https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html
- https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager
- https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html
- https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html
tags:
analytic_story:
- Brute Ratel C4
asset_type: Endpoint
confidence: 30
impact: 30
message: a process $Image$ loaded several modules $ImageLoaded$ that might related
to credential access on $dest$.
mitre_attack_id:
- T1219
- T1003
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Image
- ImageLoaded
- process_name
- dest
- EventCode
- Signed
- ProcessId
risk_score: 9
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true