/
windows_snake_malware_file_modification_crmlog.yml
53 lines (53 loc) · 2.51 KB
/
windows_snake_malware_file_modification_crmlog.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Windows Snake Malware File Modification Crmlog
id: 27187e0e-c221-471d-a7bd-04f698985ff6
version: 1
date: '2023-05-10'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 11
description: The following analytic identfies a .crmlog written to windows\registration. Per the report, typically, this file has been found within the %windows%\Registration directory with the format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog and is decrypted by Snake's kernel driver.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND Filesystem.file_name="*.crmlog" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name
Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
tags:
analytic_story:
- Snake Malware
asset_type: Endpoint
atomic_guid:
- 7e47ee60-9dd1-4269-9c4f-97953b183268
confidence: 50
impact: 50
message: A file related to Snake Malware has been identified on $dest$.
mitre_attack_id:
- T1027
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 25
required_fields:
- _time
- Filesystem.file_create_time
- Filesystem.process_id
- Filesystem.file_name
- Filesystem.file_path
- Filesystem.dest
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog