Merge pull request #2670 from splunk/newness

Guardians of the Haag: A Cosmic Adventure

detections/endpoint/windows_bootloader_inventory.yml

@@ -19,6 +19,7 @@ references:
 tags:
   analytic_story:
   - BlackLotus Campaign
+  - Windows BootKits
   asset_type: Endpoint
   atomic_guid: []
   confidence: 90

detections/endpoint/windows_registry_bootexecute_modification.yml

@@ -0,0 +1,56 @@
+name: Windows Registry BootExecute Modification
+id: eabbac3a-45aa-4659-920f-6b8cff383fb8
+version: 1
+date: '2023-05-03'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Sysmon Event ID 13
+description: This analytic monitors the BootExecute registry key for any modifications from its default value, which could indicate potential malicious activity. The BootExecute registry key, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, manages the list of applications and services that are executed during system boot. By default, the BootExecute value is set to "autocheck autochk *". Attackers might attempt to modify this value to achieve persistence, load malicious code, or tamper with the system's boot process.
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE Registry.registry_path="HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\BootExecute" BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name
+  Registry.registry_value_name Registry.registry_value_data Registry.process_guid, Registry.action
+  | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data)
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_bootexecute_modification_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on Windows Registry that include the name of the path and key responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: False positives may be present and will need to be filtered.
+references:
+  - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
+tags:
+  analytic_story:
+  - Windows BootKits
+  asset_type: Endpoint
+  atomic_guid: []
+  confidence: 100
+  impact: 100
+  message: The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.
+  mitre_attack_id:
+  - T1542
+  - T1547.001
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 100
+  required_fields:
+  - _time
+  - Registry.dest 
+  - Registry.registry_path 
+  - Registry.registry_key_name
+  - Registry.registry_value_name 
+  - Registry.registry_value_data 
+  - Registry.process_guid
+  - Registry.action
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_service_created_with_suspicious_service_path.yml

@@ -32,6 +32,7 @@ tags:
   - Active Directory Lateral Movement
   - Brute Ratel C4
   - Qakbot
+  - Snake Malware
   asset_type: Endpoint
   confidence: 80
   impact: 70

detections/endpoint/windows_service_created_within_public_path.yml

@@ -28,6 +28,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Lateral Movement
+  - Snake Malware
   asset_type: Endpoint
   confidence: 60
   impact: 90

detections/endpoint/windows_snake_malware_file_modification_crmlog.yml

@@ -0,0 +1,53 @@
+name: Windows Snake Malware File Modification Crmlog
+id: 27187e0e-c221-471d-a7bd-04f698985ff6
+version: 1
+date: '2023-05-10'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Sysmon Event ID 11
+description: The following analytic identfies a .crmlog written to windows\registration. Per the report, typically, this file has been found within the %windows%\Registration directory with the format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog and is decrypted by Snake's kernel driver.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND  Filesystem.file_name="*.crmlog"  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name
+  Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: False positives may be present as the file pattern does match legitimate files on disk. It is possible other native tools write the same file name scheme.
+references:
+- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
+tags:
+  analytic_story:
+  - Snake Malware
+  asset_type: Endpoint
+  atomic_guid:
+  - 7e47ee60-9dd1-4269-9c4f-97953b183268
+  confidence: 50
+  impact: 50
+  message: A file related to Snake Malware has been identified on $dest$.
+  mitre_attack_id:
+  - T1027
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 25
+  required_fields:
+  - _time
+  - Filesystem.file_create_time 
+  - Filesystem.process_id 
+  - Filesystem.file_name
+  - Filesystem.file_path 
+  - Filesystem.dest
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml

@@ -0,0 +1,54 @@
+name: Windows Snake Malware Kernel Driver Comadmin
+id: 628d9c7c-3242-43b5-9620-7234c080a726
+version: 1
+date: '2023-05-11'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Sysmon Event ID 13
+description: 'The following analytic identifies the comadmin.dat file written to disk, which is related to Snake Malware. From the report, Snakes installer drops the kernel driver and a custom DLL which is used to load the driver into a
+  single AES encrypted file on disk. Typically, this file is named comadmin.dat and is stored in the %windows%\system32\Com directory.'
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\system32\\com\\*" AND Filesystem.file_name="comadmin.dat"  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name
+  Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_snake_malware_kernel_driver_comadmin_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: False positives may be present, filter as needed.
+references:
+- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
+tags:
+  analytic_story:
+  - Snake Malware
+  asset_type: Endpoint
+  atomic_guid:
+  - e5cb5564-cc7b-4050-86e8-f2d9eec1941f
+  confidence: 80
+  impact: 70
+  message: A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.
+  mitre_attack_id:
+  - T1547.006
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 56
+  required_fields:
+  - _time
+  - Filesystem.file_create_time 
+  - Filesystem.process_id 
+  - Filesystem.file_name
+  - Filesystem.file_path 
+  - Filesystem.dest
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml

@@ -0,0 +1,55 @@
+name: Windows Snake Malware Registry Modification wav OpenWithProgIds
+id: 13cf8b79-805d-443c-bf52-f55bd7610dfd
+version: 1
+date: '2023-05-10'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Sysmon Event ID 13
+description: The follow analytic identifies the registry being modified at .wav\\OpenWithProgIds\, which is related to the Snake Malware campaign. Upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
+  registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
+search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name)
+  as registry_key_name values(Registry.registry_path) as registry_path min(_time)
+  as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*"  by Registry.dest  Registry.user
+  Registry.registry_path Registry.registry_key_name Registry.registry_value_name |
+  `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: False positives may be present and will require tuning based on program Ids in large organizations.
+references:
+- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
+tags:
+  analytic_story:
+  - Snake Malware
+  asset_type: Endpoint
+  atomic_guid:
+  - 8318ad20-0488-4a64-98f4-72525a012f6b
+  confidence: 50
+  impact: 50
+  message: A registry modification related to Snake Malware has been identified on $dest$.
+  mitre_attack_id:
+  - T1112
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 25
+  required_fields:
+  - _time
+  - Registry.dest
+  - Registry.user
+  - Registry.registry_path 
+  - Registry.registry_key_name 
+  - Registry.registry_value_name
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_snake_malware_service_create.yml

@@ -0,0 +1,60 @@
+name: Windows Snake Malware Service Create
+id: 64eb091f-8cab-4b41-9b09-8fb4942377df
+version: 1
+date: '2023-05-11'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Windows System 7045
+description: 'The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe,
+  which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.'
+search: '`wineventlog_system` EventCode=7045  ImagePath="*\\windows\\winSxS\\*" ImagePath="*\Werfault.exe"
+  | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  Windows System logs with the Service name, Service File Name Service Start type,
+  and Service Type from your endpoints.
+known_false_positives: False positives should be limited as this is a strict primary indicator used by Snake Malware.
+references:
+- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
+tags:
+  analytic_story:
+  - Snake Malware
+  asset_type: Endpoint
+  atomic_guid:
+  - b8db787e-dbea-493c-96cb-9272296ddc49
+  confidence: 90
+  impact: 80
+  message: A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.
+  mitre_attack_id:
+  - T1547.006
+  - T1569.002
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 72
+  required_fields:
+  - EventCode
+  - Service_File_Name
+  - Service_Type
+  - _time
+  - Service_Name
+  - Service_Start_Type
+  - Service_Account
+  - user
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log
+    source: XmlWinEventLog:System
+    sourcetype: XmlWinEventLog
+

detections/endpoint/windows_winlogon_with_public_network_connection.yml

@@ -0,0 +1,67 @@
+name: Windows WinLogon with Public Network Connection
+id: 65615b3a-62ea-4d65-bb9f-6f07c17df4ea
+version: 1
+date: '2023-05-03'
+author: Michael Haag, Splunk
+status: experimental
+type: Hunting
+data_source:
+  - Sysmon Event ID 1
+  - Sysmon Event ID 3
+description: The following analytic is designed to detect anomalous behavior associated with the BlackLotus Campaign, a sophisticated bootkit attack reported by ESET and further investigated in a blog by Microsoft, which provided hunting queries for security analysts. The primary focus of this analytic is to identify instances of Winlogon.exe, a critical Windows process, connecting to public IP space, which is indicative of potential malicious activity.
+  The BlackLotus Campaign is a bootkit-based attack that compromises system integrity by infecting the Master Boot Record (MBR) and Volume Boot Record (VBR). This malware variant can bypass traditional security measures, load before the operating system, and maintain persistence on the target system.
+
+  Winlogon.exe is a critical Windows process responsible for managing user logon and logoff processes. Under normal circumstances, Winlogon.exe should not be connecting to public IP addresses. However, if it does, it may indicate that the process has been compromised as part of the BlackLotus Campaign or another malicious operation.
+
+  This analytic monitors network connections made by Winlogon.exe and triggers an alert if it detects connections to public IP space. By identifying such anomalous behavior, security analysts can investigate further and respond swiftly to potential threats.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN (winlogon.exe)  Processes.process!=unknown
+  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | join  process_id [| tstats `security_content_summariesonly`
+  count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 NOT (All_Traffic.dest IN (127.0.0.1,10.0.0.0/12,172.16.0.0/12, 192.168.0.0/16, 0:0:0:0:0:0:0:1)) by All_Traffic.process_id
+  All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as publicIp ]
+  | table dest parent_process_name process_name process_path process process_id dest_port publicIp
+  | `windows_winlogon_with_public_network_connection_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and Network_Traffic datamodel under All Traffic. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: False positives will be present and filtering will be required. Legitimate IPs will be present and need to be filtered.
+references:
+  - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
+tags:
+  analytic_story:
+  - BlackLotus Campaign
+  asset_type: Endpoint
+  atomic_guid: []
+  confidence: 50
+  impact: 50
+  message: Winlogon.exe has generated a network connection to a remote destination on endpoint $dest$.
+  mitre_attack_id:
+  - T1542.003
+  observable:
+    - name: dest
+      type: Hostname
+      role:
+        - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 25
+  required_fields:
+  - dest 
+  - parent_process_name 
+  - process_name 
+  - process_path 
+  - process 
+  - process_id 
+  - dest_port 
+  - publicIp
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog