/
windows_snake_malware_kernel_driver_comadmin.yml
54 lines (54 loc) · 2.52 KB
/
windows_snake_malware_kernel_driver_comadmin.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Windows Snake Malware Kernel Driver Comadmin
id: 628d9c7c-3242-43b5-9620-7234c080a726
version: 1
date: '2023-05-11'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 11
description: 'The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a
single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory.'
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" AND Filesystem.file_name="comadmin.dat" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name
Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: False positives may be present, filter as needed.
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
tags:
analytic_story:
- Snake Malware
asset_type: Endpoint
atomic_guid:
- e5cb5564-cc7b-4050-86e8-f2d9eec1941f
confidence: 80
impact: 70
message: A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.
mitre_attack_id:
- T1547.006
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 56
required_fields:
- _time
- Filesystem.file_create_time
- Filesystem.process_id
- Filesystem.file_name
- Filesystem.file_path
- Filesystem.dest
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog