-
Notifications
You must be signed in to change notification settings - Fork 331
/
batch_file_write_to_system32.yml
64 lines (64 loc) · 2.11 KB
/
batch_file_write_to_system32.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Batch File Write to System32
id: 503d17cb-9eab-4cf8-a20e-01d5c6987ae3
version: 3
date: '2022-12-21'
author: Steven Dick, Michael Haag, Rico Valdez, Splunk
status: production
type: TTP
description: The search looks for a batch file (.bat) written to the Windows system
directory tree.
data_source:
- Sysmon Event ID 1
search:
selection1:
Image|endswith: '*'
condition: selection1
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: It is possible for this search to generate a notable event
for a batch file write to a path that includes the string "system32", but is not
the actual Windows system directory. As such, you should confirm the path of the
batch file identified by the search. In addition, a false positive may be generated
by an administrator copying a legitimate batch file in this directory tree. You
should confirm that the activity is legitimate and modify the search to add exclusions,
as necessary.
references: []
tags:
analytic_story:
- SamSam Ransomware
asset_type: Endpoint
confidence: 90
impact: 70
message: A file - $file_name$ was written to system32 has occurred on endpoint $dest$
by user $user$.
mitre_attack_id:
- T1204
- T1204.002
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: file_name
type: File Name
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 63
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog