/
windows_replication_through_removable_media.yml
81 lines (81 loc) · 3.59 KB
/
windows_replication_through_removable_media.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Windows Replication Through Removable Media
id: 60df805d-4605-41c8-bbba-57baa6a4eb97
version: 1
date: '2023-09-07'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: This analytic is developed to detect suspicious executable or script
files created or dropped in the root drive of a targeted host. This technique is
commonly used by threat actors, adversaries or even red teamers to replicate or
spread in possible removable drives. Back then, WORM malware was popular for this
technique where it would drop a copy of itself in the root drive to be able to spread
or to have a lateral movement in other network machines. Nowadays, Ransomware like
CHAOS ransomware also use this technique to spread its malicious code in possible
removable drives. This TTP detection can be a good indicator that a process might
create a persistence technique or lateral movement of a targeted machine. We suggest
checking the process name that creates this event, the file created, user type,
and the reason why that executable or scripts are dropped in the root drive.
data_source:
- Sysmon EventID 11
search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe
OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name
= *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name
= *.js OR Filesystem.file_name= *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name
= *.pif) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name
Filesystem.file_path Filesystem.user Filesystem.dest | `drop_dm_object_name(Filesystem)` | eval
dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count
= mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) |
where LIKE(root_drive, "%:") AND dropped_file_path_split_count = 2 AND root_drive!=
"C:" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_replication_through_removable_media_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the Filesystem responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
known_false_positives: Administrators may allow creation of script or exe in the paths
specified. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1204/002/
- https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia
tags:
analytic_story:
- Chaos Ransomware
- NjRAT
- PlugX
asset_type: Endpoint
confidence: 80
impact: 80
message: executable or script $file_path$ was dropped in root drive $root_drive$ in
$dest$
mitre_attack_id:
- T1091
observable:
- name: user
type: User
role:
- Victim
- name: file_name
type: File Name
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.file_path
- Filesystem.file_create_time
- Filesystem.process_id
- Filesystem.file_name
- Filesystem.user
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true