From 3c475d25c8e9234b887d2172ccc72bf443b5bc1f Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 26 May 2025 10:28:31 +0200 Subject: [PATCH 1/8] innoloader --- ...cmd_carry_out_string_command_parameter.yml | 51 +++++------ ..._files_and_directories_with_attrib_exe.yml | 7 +- .../endpoint/lolbas_with_network_traffic.yml | 88 +++++++++---------- ...fox_process_access_firefox_profile_dir.yml | 23 ++--- detections/endpoint/recon_using_wmi_class.yml | 11 +-- ...s_scheduled_task_from_public_directory.yml | 23 ++--- ...ial_access_from_browser_password_store.yml | 13 +-- ...assword_stores_chrome_extension_access.yml | 16 ++-- ...ssword_stores_chrome_localstate_access.yml | 23 ++--- ...ssword_stores_chrome_login_data_access.yml | 23 ++--- ...earch_order_hijacking_hunt_with_sysmon.yml | 9 +- .../windows_hidden_schedule_task_settings.yml | 16 ++-- ...k_execution_flow_version_dll_side_load.yml | 5 +- ...windows_scheduled_task_created_via_xml.yml | 5 +- .../windows_suspicious_process_file_path.yml | 67 +++++++------- ..._dll_side_loading_in_same_process_path.yml | 9 +- ...eduled_task_created_within_public_path.yml | 29 +++--- ...ws_task_scheduler_event_action_started.yml | 28 +++--- ...ess_dns_query_known_abuse_web_services.yml | 15 ++-- .../network/windows_abused_web_services.yml | 5 +- stories/malicious_inno_setup_loader.yml | 20 +++++ 21 files changed, 259 insertions(+), 227 deletions(-) create mode 100644 stories/malicious_inno_setup_loader.yml diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 2ef56465fb..4dc648f89b 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 11 -date: '2025-05-06' +version: '12' +date: '2025-05-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -17,14 +17,14 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process IN ("*/c*", "*/k*") - by Processes.action Processes.dest Processes.original_file_name Processes.parent_process - Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id - Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec - Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cmd_carry_out_string_command_parameter_filter`' + as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process + IN ("*/c*", "*/k*") by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -41,27 +41,28 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ tags: analytic_story: - - Data Destruction - - DarkGate Malware - - Chaos Ransomware - - Hermetic Wiper - - Warzone RAT + - PlugX - Winter Vivern + - Rhysida Ransomware + - Malicious Inno Setup Loader + - DarkGate Malware - ProxyNotShell - - IcedID - - Living Off The Land - - NjRAT - Log4Shell CVE-2021-44228 - - CISA AA23-347A - - AsyncRAT - - Rhysida Ransomware - - DarkCrystal RAT - - Crypto Stealer - Azorult + - Living Off The Land - Qakbot - - RedLine Stealer - - PlugX + - Chaos Ransomware + - IcedID + - Data Destruction + - Crypto Stealer - WhisperGate + - NjRAT + - AsyncRAT + - CISA AA23-347A + - Hermetic Wiper + - RedLine Stealer + - DarkCrystal RAT + - Warzone RAT asset_type: Endpoint cve: - CVE-2021-44228 diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 97cf82c455..0bed18c0b0 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,7 +1,7 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: 12 -date: '2025-05-02' +version: '13' +date: '2025-05-26' author: Bhavin Patel, Splunk status: production type: TTP @@ -64,8 +64,9 @@ rba: threat_objects: [] tags: analytic_story: - - Azorult - Windows Persistence Techniques + - Malicious Inno Setup Loader + - Azorult - Compromised Windows Host - Windows Defense Evasion Tactics - Crypto Stealer diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 196c4b5250..530cf4f7f8 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,12 +1,11 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 10 -date: '2025-05-19' +version: '11' +date: '2025-05-26' author: Steven Dick status: production type: TTP -description: - The following analytic identifies the use of Living Off the Land Binaries +description: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently @@ -15,9 +14,8 @@ description: to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. data_source: - - Sysmon EventID 3 -search: - '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) +- Sysmon EventID 3 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", @@ -36,61 +34,59 @@ search: All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=app ".*\\\(?.*)$" | `lolbas_with_network_traffic_filter`' -how_to_implement: - To successfully implement this detection you must ingest events +how_to_implement: To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type. -known_false_positives: - Legitimate usage of internal automation or scripting, especially +known_false_positives: Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") references: - - https://lolbas-project.github.io/# - - https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ +- https://lolbas-project.github.io/# +- https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ drilldown_searches: - - name: View the detection results for - "$src$" - search: '%original_detection_search% | search src = "$src$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$src$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. risk_objects: - - field: src - type: system - score: 25 + - field: src + type: system + score: 25 threat_objects: - - field: dest_ip - type: ip_address + - field: dest_ip + type: ip_address tags: analytic_story: - - Living Off The Land - - Water Gamayun - - Fake CAPTCHA Campaigns + - Fake CAPTCHA Campaigns + - Living Off The Land + - Malicious Inno Setup Loader + - Water Gamayun asset_type: Endpoint mitre_attack_id: - - T1105 - - T1567 - - T1218 + - T1105 + - T1567 + - T1218 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 1537768279..5ea450fb78 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 9 -date: '2025-05-02' +version: '10' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,21 +48,22 @@ rba: threat_objects: [] tags: analytic_story: - - AgentTesla + - NjRAT - Snake Keylogger - - CISA AA23-347A + - AgentTesla + - DarkGate Malware - China-Nexus Threat Activity - - Remcos - - FIN7 + - 3CX Supply Chain Attack + - Malicious Inno Setup Loader + - CISA AA23-347A - Phemedrone Stealer - - SnappyBee - Azorult + - Remcos - RedLine Stealer - - Warzone RAT - Salt Typhoon - - 3CX Supply Chain Attack - - DarkGate Malware - - NjRAT + - Warzone RAT + - SnappyBee + - FIN7 asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 4ec4fb9628..5a2f320980 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,7 +1,7 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,12 +65,13 @@ rba: tags: analytic_story: - AsyncRAT - - Qakbot - - Industroyer2 - - Hermetic Wiper - LockBit Ransomware - Malicious PowerShell + - Malicious Inno Setup Loader + - Hermetic Wiper - Data Destruction + - Qakbot + - Industroyer2 - MoonPeak asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 5f894c09cb..1f5f2802a3 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: '12' -date: '2025-05-06' +version: '13' +date: '2025-05-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -69,21 +69,22 @@ rba: threat_objects: [] tags: analytic_story: - - CISA AA24-241A - - CISA AA23-347A - - Medusa Ransomware + - DarkCrystal RAT - China-Nexus Threat Activity - - Scheduled Tasks - Windows Persistence Techniques - - Living Off The Land - Ryuk Ransomware + - Medusa Ransomware + - Malicious Inno Setup Loader + - CISA AA23-347A + - Azorult + - Living Off The Land + - Crypto Stealer - Salt Typhoon + - XWorm + - CISA AA24-241A + - Scheduled Tasks - Ransomware - - DarkCrystal RAT - - Azorult - MoonPeak - - XWorm - - Crypto Stealer asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index b9223a5576..9efc504160 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 11 -date: '2025-05-02' +version: '13' +date: '2025-05-26' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 @@ -60,15 +60,16 @@ rba: threat_objects: [] tags: analytic_story: - - Meduza Stealer - Snake Keylogger - China-Nexus Threat Activity - - SnappyBee + - Meduza Stealer + - Malicious Inno Setup Loader + - Earth Alux - PXA Stealer - Salt Typhoon - - MoonPeak - Braodo Stealer - - Earth Alux + - SnappyBee + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index dffcf3d9be..c5ab2438dd 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 6 -date: '2025-05-02' +version: '8' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -53,13 +53,14 @@ rba: tags: analytic_story: - DarkGate Malware - - CISA AA23-347A - Amadey - - RedLine Stealer + - Meduza Stealer + - Malicious Inno Setup Loader - Phemedrone Stealer - - MoonPeak + - CISA AA23-347A + - RedLine Stealer - Braodo Stealer - - Meduza Stealer + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1012 @@ -71,7 +72,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/browser_ext_access/security-ext-raw.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 909d060808..5fc0aed55a 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,21 +51,22 @@ rba: threat_objects: [] tags: analytic_story: - - Meduza Stealer + - NjRAT - Snake Keylogger + - DarkGate Malware - China-Nexus Threat Activity + - Meduza Stealer + - Amadey + - Malicious Inno Setup Loader - Phemedrone Stealer - - SnappyBee - - PXA Stealer + - Earth Alux - RedLine Stealer - - Warzone RAT + - PXA Stealer - Salt Typhoon - - DarkGate Malware - - MoonPeak - Braodo Stealer - - Amadey - - NjRAT - - Earth Alux + - Warzone RAT + - SnappyBee + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index faeb48d7ed..9dc86c330d 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 11 -date: '2025-05-02' +version: '12' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,21 +52,22 @@ rba: threat_objects: [] tags: analytic_story: - - Meduza Stealer + - NjRAT - Snake Keylogger + - DarkGate Malware - China-Nexus Threat Activity + - Meduza Stealer + - Amadey + - Malicious Inno Setup Loader - Phemedrone Stealer - - SnappyBee - - PXA Stealer + - Earth Alux - RedLine Stealer - - Warzone RAT + - PXA Stealer - Salt Typhoon - - DarkGate Malware - - MoonPeak - Braodo Stealer - - Amadey - - NjRAT - - Earth Alux + - Warzone RAT + - SnappyBee + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index 9d6ff98fdf..e6a80c3955 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -1,7 +1,7 @@ name: Windows DLL Search Order Hijacking Hunt with Sysmon id: 79c7d1fc-64c7-91be-a616-ccda752efe81 -version: 10 -date: '2025-05-02' +version: '11' +date: '2025-05-26' author: Michael Haag, Splunk status: production type: Hunting @@ -32,9 +32,10 @@ references: - https://hijacklibs.net tags: analytic_story: - - Living Off The Land - - Windows Defense Evasion Tactics - Qakbot + - Windows Defense Evasion Tactics + - Living Off The Land + - Malicious Inno Setup Loader asset_type: Endpoint mitre_attack_id: - T1574.001 diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 08f86a37d4..0a6fbfe335 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -1,7 +1,7 @@ name: Windows Hidden Schedule Task Settings id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc -version: 7 -date: '2025-05-02' +version: '8' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -50,12 +50,13 @@ rba: tags: analytic_story: - CISA AA22-257A - - Industroyer2 - - Data Destruction - - Scheduled Tasks - - Compromised Windows Host - Active Directory Discovery + - Malicious Inno Setup Loader + - Compromised Windows Host + - Data Destruction + - Industroyer2 - Cactus Ransomware + - Scheduled Tasks asset_type: Endpoint mitre_attack_id: - T1053 @@ -67,7 +68,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log source: WinEventLog:Security sourcetype: WinEventLog diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 0ed9f1d23c..76e7658f75 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,7 +1,7 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: '8' -date: '2025-05-06' +version: '9' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -53,6 +53,7 @@ tags: analytic_story: - Brute Ratel C4 - XWorm + - Malicious Inno Setup Loader asset_type: Endpoint mitre_attack_id: - T1574.001 diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 5aedb96873..13b1ab8cba 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 8 -date: '2025-05-02' +version: '9' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -69,6 +69,7 @@ rba: tags: analytic_story: - Winter Vivern + - Malicious Inno Setup Loader - CISA AA23-347A - Scheduled Tasks - MoonPeak diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 4f8580ae30..0d00f41403 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: '12' -date: '2025-05-06' +version: '13' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -74,47 +74,48 @@ rba: type: process_name tags: analytic_story: - - Meduza Stealer - - Phemedrone Stealer - - CISA AA23-347A - - China-Nexus Threat Activity - - Data Destruction - - Chaos Ransomware - - Handala Wiper - - Hermetic Wiper - - IcedID - - Swift Slicer - PlugX - BlackByte Ransomware - - Warzone RAT - - MoonPeak + - Rhysida Ransomware + - ValleyRAT + - Malicious Inno Setup Loader + - Double Zero Destructor + - Remcos + - Handala Wiper + - Trickbot - DarkGate Malware + - China-Nexus Threat Activity - Prestige Ransomware - - AsyncRAT - - Double Zero Destructor - - RedLine Stealer - - Salt Typhoon - Amadey - - AgentTesla - - Graceful Wipe Out Attack - - Water Gamayun - - ValleyRAT + - Phemedrone Stealer - Earth Alux + - Azorult + - XMRig + - Qakbot - XWorm - - SnappyBee + - Chaos Ransomware + - IcedID + - Graceful Wipe Out Attack + - Meduza Stealer + - LockBit Ransomware + - Volt Typhoon + - Data Destruction + - Salt Typhoon + - Brute Ratel C4 - WhisperGate + - Water Gamayun + - AgentTesla + - Swift Slicer + - SystemBC + - AsyncRAT + - CISA AA23-347A + - Hermetic Wiper + - RedLine Stealer - DarkCrystal RAT - - Azorult - - Brute Ratel C4 + - Warzone RAT + - SnappyBee - Industroyer2 - - Volt Typhoon - - Rhysida Ransomware - - LockBit Ransomware - - Remcos - - XMRig - - SystemBC - - Qakbot - - Trickbot + - MoonPeak asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 16e048f377..9985471810 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: '12' -date: '2025-05-06' +version: '13' +date: '2025-05-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -55,12 +55,13 @@ rba: threat_objects: [] tags: analytic_story: + - PlugX - DarkGate Malware - - China-Nexus Threat Activity - Derusbi + - China-Nexus Threat Activity + - Malicious Inno Setup Loader - Salt Typhoon - XWorm - - PlugX - SnappyBee asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 78b5c0bf1b..5f1e519bac 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: '15' -date: '2025-05-06' +version: '16' +date: '2025-05-26' author: Michael Haag, Splunk status: production type: TTP @@ -54,25 +54,26 @@ rba: threat_objects: [] tags: analytic_story: + - Windows Persistence Techniques + - Winter Vivern + - Ryuk Ransomware + - Medusa Ransomware + - Malicious Inno Setup Loader - Compromised Windows Host - - CISA AA23-347A - China-Nexus Threat Activity - - Data Destruction - - IcedID - - Medusa Ransomware - Prestige Ransomware - - AsyncRAT - - Salt Typhoon - - Windows Persistence Techniques - - Winter Vivern - - Ransomware - XWorm - - Industroyer2 + - Ransomware - Active Directory Lateral Movement + - IcedID + - Data Destruction + - Salt Typhoon + - Industroyer2 - CISA AA22-257A - - Scheduled Tasks - - Ryuk Ransomware - SystemBC + - AsyncRAT + - CISA AA23-347A + - Scheduled Tasks asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 2b62cdccd7..498b46dc02 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 9 -date: '2025-05-19' +version: '10' +date: '2025-05-26' author: Michael Haag, Splunk status: production type: Hunting @@ -30,23 +30,24 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: analytic_story: - - Qakbot + - IcedID + - BlackSuit Ransomware - Windows Persistence Techniques - Prestige Ransomware - - DarkCrystal RAT - - AsyncRAT - Winter Vivern - - IcedID - CISA AA22-257A - - Industroyer2 - - Sandworm Tools - - Data Destruction - Amadey - - Scheduled Tasks - - CISA AA24-241A - - BlackSuit Ransomware + - AsyncRAT - ValleyRAT - SystemBC + - Malicious Inno Setup Loader + - Scheduled Tasks + - Data Destruction + - CISA AA24-241A + - DarkCrystal RAT + - Qakbot + - Sandworm Tools + - Industroyer2 asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -58,7 +59,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational sourcetype: XmlWinEventLog diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 009df622af..560e2edbed 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,7 +1,7 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 12 -date: '2025-05-02' +version: '13' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -55,13 +55,14 @@ rba: type: process_name tags: analytic_story: - - Data Destruction - - WhisperGate - - Remcos - - Phemedrone Stealer - Snake Keylogger - - PXA Stealer - Meduza Stealer + - Malicious Inno Setup Loader + - Phemedrone Stealer + - Remcos + - Data Destruction + - PXA Stealer + - WhisperGate - Cactus Ransomware asset_type: Endpoint mitre_attack_id: diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index 48672feee5..c3308bf1f5 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -1,7 +1,7 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 6 -date: '2025-05-02' +version: '7' +date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -54,6 +54,7 @@ tags: analytic_story: - NjRAT - CISA AA24-241A + - Malicious Inno Setup Loader asset_type: Endpoint mitre_attack_id: - T1102 diff --git a/stories/malicious_inno_setup_loader.yml b/stories/malicious_inno_setup_loader.yml new file mode 100644 index 0000000000..8c148d6adb --- /dev/null +++ b/stories/malicious_inno_setup_loader.yml @@ -0,0 +1,20 @@ +name: Malicious Inno Setup Loader +id: +version: 1 +date: '2025-05-25' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious Inno Setup-based loaders include monitoring unexpected process trees, script execution, and memory injection patterns originating from installer executables. Inno Setup is a widely used legitimate packaging tool, but its popularity and flexibility make it an attractive vehicle for malware delivery. Malicious actors abuse this framework to create installers that appear benign while hiding and executing embedded payloads. These loaders typically drop encrypted or obfuscated binaries to disk or inject them directly into memory without user consent. These components are typically executed via scripting (e.g., embedded PowerShell, VBScript) or injected directly into memory using process injection techniques like Process Hollowing, Thread Hijacking, or DLL Side-Loading. Some loaders include anti-analysis features such as sandbox evasion, VM detection, or delaying execution to avoid early sandbox detection. Their payloads can range from commodity malware (infostealers, keyloggers, remote access trojans) to custom backdoors. +narrative: Detecting malicious Inno Setup-based loaders involves identifying deviations from typical installer behavior. While legitimate Inno Setup binaries follow predictable installation patterns, malicious variants exhibit suspicious child process activity—such as launching cmd.exe, powershell.exe, or performing in-memory execution without dropping a visible payload. Analysts may observe payloads being written to temporary directories like %APPDATA%, %TEMP%, or %ProgramData%, followed by obfuscated execution mechanisms. Static analysis of the installer may reveal high-entropy sections, encrypted blobs, or anomalous script content embedded in the setup script. Behavioral analysis through EDR or sandboxing can further expose delayed execution, anti-VM logic, or environment fingerprinting techniques. Threat intelligence correlations—such as hashes, command-and-control domains, or loader-specific strings—can assist in clustering related loader campaigns. Detecting these loaders early is crucial, as they often serve as the initial access vector in multi-stage infection chains, enabling more severe intrusions or ransomware deployment. +references: +- https://x.com/Unit42_Intel/status/1919418143476199869 +- https://www.esentire.com/blog/d3f-ck-loader-the-new-maas-loader +- https://tria.ge/241129-lgghqaxqgz +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From f8727cdbab6b74f69876dfccb2b25451a9765b3d Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 26 May 2025 11:01:31 +0200 Subject: [PATCH 2/8] innoloader --- stories/malicious_inno_setup_loader.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/malicious_inno_setup_loader.yml b/stories/malicious_inno_setup_loader.yml index 8c148d6adb..485de9fca6 100644 --- a/stories/malicious_inno_setup_loader.yml +++ b/stories/malicious_inno_setup_loader.yml @@ -1,5 +1,5 @@ name: Malicious Inno Setup Loader -id: +id: ef8b2f11-fb0b-4acd-828c-83345e171b61 version: 1 date: '2025-05-25' author: Teoderick Contreras, Splunk From e07722a488abb46d94da0eac084d5e7e0cb765d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 27 May 2025 23:31:34 +0200 Subject: [PATCH 3/8] Apply suggestions from code review --- .../windows_credential_access_from_browser_password_store.yml | 2 +- ...credentials_from_password_stores_chrome_extension_access.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 9efc504160..2ac2a4c2f0 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,6 +1,6 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: '13' +version: 12 date: '2025-05-26' author: Teoderick Contreras, Bhavin Patel Splunk data_source: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index c5ab2438dd..cad69d741f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: '8' +version: 7 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production From 890de16876ed74e66fb3ab8eec616ebba18250d1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 28 May 2025 14:22:20 +0200 Subject: [PATCH 4/8] innoloader --- ...e_process_accessing_chrome_default_dir.yml | 14 ++-- ...um_browser_no_security_sandbox_process.yml | 73 ++++++++++++++++++ ...rowser_with_custom_user_data_directory.yml | 73 ++++++++++++++++++ .../windows_disable_browser_extensions.yml | 74 +++++++++++++++++++ .../windows_hidden_schedule_task_settings.yml | 9 ++- 5 files changed, 233 insertions(+), 10 deletions(-) create mode 100644 detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml create mode 100644 detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml create mode 100644 detections/endpoint/windows_disable_browser_extensions.yml diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 020b0bf92b..17e0056aa0 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-05-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,10 +15,11 @@ description: The following analytic detects a non-Chrome process accessing files and further compromise of the affected system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", - "*\\explorer.exe", "*sql*")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" - | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType - ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`wineventlog_security` EventCode=4663 + NOT (ProcessName IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*", "*\\dllhost.exe")) ObjectName="*\\Google\\Chrome\\User Data\\Default*" + | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in @@ -63,6 +64,7 @@ tags: - 3CX Supply Chain Attack - DarkGate Malware - NjRAT + - Malicious Inno Setup Loader asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml new file mode 100644 index 0000000000..dc074332f1 --- /dev/null +++ b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml @@ -0,0 +1,73 @@ +name: Windows Chromium Browser No Security Sandbox Process +id: 314cb263-7eeb-4d45-b693-bb21699c73d2 +version: 1 +date: '2025-05-26' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome’s built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe") + Processes.process = "*--no-sandbox*" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_chromium_browser_no_security_sandbox_process_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. +references: +- https://unix.stackexchange.com/questions/68832/what-does-the-chromium-option-no-sandbox-mean +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A chrome process with the --no-sandbox flag was launched on $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 60 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Malicious Inno Setup Loader + asset_type: Endpoint + mitre_attack_id: + - T1497 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrom_no_sandbox/chrome-no_sandbox.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml new file mode 100644 index 0000000000..88f8728ed7 --- /dev/null +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -0,0 +1,73 @@ +name: Windows Chromium Browser with Custom User Data Directory +id: 4f546cf4-15aa-4368-80f7-940e92bc551e +version: 1 +date: '2025-05-26' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe") + Processes.process = "*--user-data-dir*" Processes.process IN ("*--disable-gpu*", "*--disable-3d-apis*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_chromium_browser_with_custom_user_data_directory_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. +references: +- https://chromium.googlesource.com/chromium/src/+/main/docs/user_data_dir.md +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A chrome process with the --user-data-dir flag was launched on $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Malicious Inno Setup Loader + asset_type: Endpoint + mitre_attack_id: + - T1497 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrom_no_sandbox/chrome-no_sandbox.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_disable_browser_extensions.yml b/detections/endpoint/windows_disable_browser_extensions.yml new file mode 100644 index 0000000000..fb2022e92c --- /dev/null +++ b/detections/endpoint/windows_disable_browser_extensions.yml @@ -0,0 +1,74 @@ +name: Windows Disable Browser Extensions +id: 65224d8b-b95d-44ec-bb44-408d830c1258 +version: 1 +date: '2025-05-26' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons. + Malicious documents or scripts may leverage iexplore.exe -extoff to open phishing pages, command-and-control interfaces, or download additional payloads in an environment free from security monitoring plugins. While this flag may be used legitimately by IT administrators for troubleshooting purposes, its use in modern enterprise environments is rare and should be considered suspicious—particularly when launched by Office applications, scripting engines (e.g., PowerShell, WScript), or scheduled tasks. +data_source: +- Sysmon EventID 1 +- Windows Event Log Security 4688 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "iexplore.exe" + Processes.process = "*-extoff*" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_disable_browser_extensions_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrators may enable or disable this feature that may + cause some false positive. +references: +- https://www.hybrid-analysis.com/sample/e285feeca968b3ca22017a64363eea5e69ccd519696671df523291b089597875/588175f1aac2edf92bbed32f +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$. + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Malicious Inno Setup Loader + asset_type: Endpoint + mitre_attack_id: + - T1176.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1176.001/disable_extension/iexplore-extoff.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 0a6fbfe335..9f92fcb65e 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -15,9 +15,10 @@ description: The following analytic detects the creation of hidden scheduled tas malicious payloads. data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Hidden = true - | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, - Author, Hidden, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Hidden>true</Hidden>*" + | stats count min(_time) as firstTime max(_time) as lastTime by TaskName TaskContent action signature status dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_hidden_schedule_task_settings_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and @@ -68,6 +69,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/security.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/inno_schtask.log source: WinEventLog:Security sourcetype: WinEventLog From e51db2ce9caf086566b13639bb788b840cf6b12f Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 28 May 2025 14:50:39 +0200 Subject: [PATCH 5/8] innoloader --- detections/endpoint/windows_hidden_schedule_task_settings.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index 9f92fcb65e..ef9f8464c9 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -70,5 +70,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/hidden_schedule_task/inno_schtask.log - source: WinEventLog:Security - sourcetype: WinEventLog + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog From 19ae2fe24f0d46c687a787586440af6cbd6c3547 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 2 Jun 2025 09:43:51 +0200 Subject: [PATCH 6/8] innoloader --- detections/endpoint/detect_renamed_7_zip.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 6401da14bb..bb5427b755 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -1,7 +1,7 @@ name: Detect Renamed 7-Zip id: 4057291a-b8cf-11eb-95fe-acde48001122 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-06-02' author: Michael Haag, Splunk status: production type: Hunting @@ -43,6 +43,7 @@ references: tags: analytic_story: - Collection and Staging + - Malicious Inno Setup Loader asset_type: Endpoint mitre_attack_id: - T1560.001 From 838d40085ebf8407fdbc79626c0a3e5b3c3d6a63 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 2 Jun 2025 12:38:34 +0200 Subject: [PATCH 7/8] innoloader --- ...windows_process_with_tinyurl_dns_query.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 detections/endpoint/windows_process_with_tinyurl_dns_query.yml diff --git a/detections/endpoint/windows_process_with_tinyurl_dns_query.yml b/detections/endpoint/windows_process_with_tinyurl_dns_query.yml new file mode 100644 index 0000000000..ea7f57831e --- /dev/null +++ b/detections/endpoint/windows_process_with_tinyurl_dns_query.yml @@ -0,0 +1,66 @@ +name: Windows Process with TinyUrl DNS Query +id: b1ea79da-719c-437c-acaf-5c93f838f425 +version: 1 +date: '2025-06-02' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects a suspicious process making DNS queries to known URL shortening services, specifically tinyurl.com. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk. +data_source: +- Sysmon EventID 22 +search: '`sysmon` EventCode=22 QueryName = "tinyurl.com" + Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") + | stats count min(_time) as firstTime max(_time) as lastTime + by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName + QueryResults QueryStatus + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_process_with_tinyurl_dns_query_filter`' +how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. + We suggest you run this detection at least once a day over the last 14 days. +known_false_positives: Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is + needed. +references: +- https://x.com/Unit42_Intel/status/1919418143476199869 +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious process $process_name$ made a DNS query for $QueryName$ on $dvc$ + risk_objects: + - field: dvc + type: system + score: 40 + threat_objects: + - field: process_name + type: process_name + +tags: + analytic_story: + - Malicious Inno Setup Loader + asset_type: Endpoint + mitre_attack_id: + - T1105 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog From cb45d9d0304be0e9b56c04d9a205dc872680b4e4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 17 Jun 2025 20:32:55 +0200 Subject: [PATCH 8/8] quick fixes and updates --- ...cmd_carry_out_string_command_parameter.yml | 2 +- ..._files_and_directories_with_attrib_exe.yml | 2 +- .../endpoint/lolbas_with_network_traffic.yml | 2 +- ...um_browser_no_security_sandbox_process.yml | 16 +++++---- ...rowser_with_custom_user_data_directory.yml | 19 ++++++---- ...ssword_stores_chrome_localstate_access.yml | 2 +- ...ssword_stores_chrome_login_data_access.yml | 2 +- ...dows_disable_internet_explorer_addons.yml} | 17 +++++---- ...earch_order_hijacking_hunt_with_sysmon.yml | 2 +- ... windows_dns_query_request_to_tinyurl.yml} | 36 +++++++++++++------ .../windows_hidden_schedule_task_settings.yml | 12 ++++--- ...k_execution_flow_version_dll_side_load.yml | 2 +- ...windows_scheduled_task_created_via_xml.yml | 2 +- .../windows_suspicious_process_file_path.yml | 2 +- ..._dll_side_loading_in_same_process_path.yml | 6 ++-- ...eduled_task_created_within_public_path.yml | 2 +- ...ws_task_scheduler_event_action_started.yml | 2 +- ...ess_dns_query_known_abuse_web_services.yml | 2 +- .../network/windows_abused_web_services.yml | 2 +- stories/malicious_inno_setup_loader.yml | 14 ++++---- 20 files changed, 89 insertions(+), 57 deletions(-) rename detections/endpoint/{windows_disable_browser_extensions.yml => windows_disable_internet_explorer_addons.yml} (81%) rename detections/endpoint/{windows_process_with_tinyurl_dns_query.yml => windows_dns_query_request_to_tinyurl.yml} (58%) diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 4dc648f89b..40cc33b0ab 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,6 +1,6 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: '12' +version: 12 date: '2025-05-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 0bed18c0b0..0b01e8825d 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,6 +1,6 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: '13' +version: 13 date: '2025-05-26' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 530cf4f7f8..2b3b6bd436 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,6 +1,6 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: '11' +version: 11 date: '2025-05-26' author: Steven Dick status: production diff --git a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml index dc074332f1..226d40a9d9 100644 --- a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml +++ b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml @@ -5,13 +5,16 @@ date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome’s built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections. +description: | + The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome's built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe") +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe") Processes.process = "*--no-sandbox*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id @@ -21,8 +24,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_chromium_browser_no_security_sandbox_process_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information + | `windows_chromium_browser_no_security_sandbox_process_filter` +how_to_implement: | + To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the @@ -46,7 +50,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A chrome process with the --no-sandbox flag was launched on $dest$ by user $user$. + message: A chromium process with the --no-sandbox flag was launched on $dest$ by user $user$. risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml index 88f8728ed7..df61b908da 100644 --- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -5,14 +5,18 @@ date: '2025-05-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts. +description: | + The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe") - Processes.process = "*--user-data-dir*" Processes.process IN ("*--disable-gpu*", "*--disable-3d-apis*") +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe") + Processes.process = "*--user-data-dir*" + Processes.process IN ("*--disable-gpu*", "*--disable-3d-apis*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec @@ -21,8 +25,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_chromium_browser_with_custom_user_data_directory_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information + | `windows_chromium_browser_with_custom_user_data_directory_filter` +how_to_implement: | + To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the @@ -46,7 +51,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A chrome process with the --user-data-dir flag was launched on $dest$ by user $user$. + message: A chromium process with the --user-data-dir flag was launched on $dest$ by user $user$. risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 5fc0aed55a..f7d27a8279 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: '12' +version: 12 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 9dc86c330d..db2ed5556d 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: '12' +version: 12 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_disable_browser_extensions.yml b/detections/endpoint/windows_disable_internet_explorer_addons.yml similarity index 81% rename from detections/endpoint/windows_disable_browser_extensions.yml rename to detections/endpoint/windows_disable_internet_explorer_addons.yml index fb2022e92c..810bfbd2c8 100644 --- a/detections/endpoint/windows_disable_browser_extensions.yml +++ b/detections/endpoint/windows_disable_internet_explorer_addons.yml @@ -1,18 +1,21 @@ -name: Windows Disable Browser Extensions +name: Windows Disable Internet Explorer Addons id: 65224d8b-b95d-44ec-bb44-408d830c1258 version: 1 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production -type: TTP -description: The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons. +type: Anomaly +description: | + The following analytic detects the execution of iexplore.exe (Internet Explorer) with the -extoff command-line flag, which disables all browser extensions. This flag is commonly abused by adversaries to launch a clean browser session that bypasses security controls such as antivirus browser extensions, toolbars, or group policy-enforced add-ons. Malicious documents or scripts may leverage iexplore.exe -extoff to open phishing pages, command-and-control interfaces, or download additional payloads in an environment free from security monitoring plugins. While this flag may be used legitimately by IT administrators for troubleshooting purposes, its use in modern enterprise environments is rare and should be considered suspicious—particularly when launched by Office applications, scripting engines (e.g., PowerShell, WScript), or scheduled tasks. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "iexplore.exe" +search: | + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where + (Processes.process_name = "iexplore.exe" OR Processes.original_file_name="IEXPLORE.EXE") Processes.process = "*-extoff*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id @@ -22,7 +25,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_ | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_disable_browser_extensions_filter`' + | `windows_disable_internet_explorer_addons_filter` how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, @@ -47,7 +50,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$. + message: An iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$. risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index e6a80c3955..bc3b81d62a 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -1,6 +1,6 @@ name: Windows DLL Search Order Hijacking Hunt with Sysmon id: 79c7d1fc-64c7-91be-a616-ccda752efe81 -version: '11' +version: 11 date: '2025-05-26' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_process_with_tinyurl_dns_query.yml b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml similarity index 58% rename from detections/endpoint/windows_process_with_tinyurl_dns_query.yml rename to detections/endpoint/windows_dns_query_request_to_tinyurl.yml index ea7f57831e..22ab8d8cb9 100644 --- a/detections/endpoint/windows_process_with_tinyurl_dns_query.yml +++ b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml @@ -1,26 +1,40 @@ -name: Windows Process with TinyUrl DNS Query +name: Windows DNS Query Request To TinyUrl id: b1ea79da-719c-437c-acaf-5c93f838f425 version: 1 date: '2025-06-02' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a suspicious process making DNS queries to known URL shortening services, specifically tinyurl.com. URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk. +description: | + The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. + URL shorteners are frequently used by threat actors to obfuscate malicious destinations, including phishing pages, malware distribution sites, or command-and-control (C2) endpoints. + While tinyurl.com is a legitimate service, its use in enterprise environments—particularly by non-browser processes or scripts—should be considered suspicious, especially if correlated with subsequent outbound connections, file downloads, process file path or credential prompts. Analysts should investigate the source process, execution context, and destination domain to determine intent and risk. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName = "tinyurl.com" - Image IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") +search: | + `sysmon` + EventCode=22 + QueryName = "tinyurl.com" + Image IN ( + "*\\AppData\\*", + "*\\Perflogs\\*", + "*\\ProgramData\\*", + "*\\Temp\\*", + "*\\Users\\Public\\*", + "*\\Windows\\Tasks\\*" + ) | stats count min(_time) as firstTime max(_time) as lastTime - by answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName - QueryResults QueryStatus + by answer answer_count dvc process_exec process_guid process_name query query_count + reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_process_with_tinyurl_dns_query_filter`' -how_to_implement: This detection relies on sysmon logs with the Event ID 22, DNS Query. + | `windows_dns_query_request_to_tinyurl_filter` +how_to_implement: | + This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. -known_false_positives: Noise and false positive can be seen if the following instant - messaging is allowed to use within corporate network. In this case, a filter is - needed. +known_false_positives: | + Noise and false positive can be seen if the following instant + messaging is allowed to use within corporate network. In this case, a filter is needed. references: - https://x.com/Unit42_Intel/status/1919418143476199869 drilldown_searches: diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index ef9f8464c9..3dc4112025 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -1,6 +1,6 @@ name: Windows Hidden Schedule Task Settings id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc -version: '8' +version: 8 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production @@ -15,11 +15,15 @@ description: The following analytic detects the creation of hidden scheduled tas malicious payloads. data_source: - Windows Event Log Security 4698 -search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Hidden>true</Hidden>*" - | stats count min(_time) as firstTime max(_time) as lastTime by TaskName TaskContent action signature status dest +search: | + `wineventlog_security` + EventCode=4698 + TaskContent = "*<Hidden>true</Hidden>*" + | stats count min(_time) as firstTime max(_time) as lastTime + by TaskName TaskContent action signature status dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_hidden_schedule_task_settings_filter`' + | `windows_hidden_schedule_task_settings_filter` how_to_implement: To successfully implement this search, you need to be ingesting logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and filter known instances of Task schedule used in your environment. diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 76e7658f75..d0b19a4d52 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,6 +1,6 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: '9' +version: 9 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 13b1ab8cba..f26cc3a4fa 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,6 +1,6 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: '9' +version: 9 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 0d00f41403..7a0651069a 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,6 +1,6 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: '13' +version: 13 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 9985471810..5cbdf5dd48 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,10 +1,8 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: '13' +version: 13 date: '2025-05-26' author: Teoderick Contreras, Splunk -data_source: -- Sysmon EventID 7 type: TTP status: production description: This detection identifies unsigned DLLs loaded through DLL side-loading @@ -15,6 +13,8 @@ description: This detection identifies unsigned DLLs loaded through DLL side-loa potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats. +data_source: +- Sysmon EventID 7 search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program Files*")) NOT (ImageLoaded IN ("*:\\windows\\system32\\*", "*:\\windows\\syswow64\\*", "c:\\Program diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 5f1e519bac..9de0e10c8a 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,6 +1,6 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: '16' +version: 16 date: '2025-05-26' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 498b46dc02..60526673ff 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,6 +1,6 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: '10' +version: 10 date: '2025-05-26' author: Michael Haag, Splunk status: production diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 560e2edbed..181119e92c 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,6 +1,6 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: '13' +version: 13 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index c3308bf1f5..e3133c64ae 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -1,6 +1,6 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: '7' +version: 7 date: '2025-05-26' author: Teoderick Contreras, Splunk status: production diff --git a/stories/malicious_inno_setup_loader.yml b/stories/malicious_inno_setup_loader.yml index 485de9fca6..53b5651d1b 100644 --- a/stories/malicious_inno_setup_loader.yml +++ b/stories/malicious_inno_setup_loader.yml @@ -4,12 +4,14 @@ version: 1 date: '2025-05-25' author: Teoderick Contreras, Splunk status: production -description: Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious Inno Setup-based loaders include monitoring unexpected process trees, script execution, and memory injection patterns originating from installer executables. Inno Setup is a widely used legitimate packaging tool, but its popularity and flexibility make it an attractive vehicle for malware delivery. Malicious actors abuse this framework to create installers that appear benign while hiding and executing embedded payloads. These loaders typically drop encrypted or obfuscated binaries to disk or inject them directly into memory without user consent. These components are typically executed via scripting (e.g., embedded PowerShell, VBScript) or injected directly into memory using process injection techniques like Process Hollowing, Thread Hijacking, or DLL Side-Loading. Some loaders include anti-analysis features such as sandbox evasion, VM detection, or delaying execution to avoid early sandbox detection. Their payloads can range from commodity malware (infostealers, keyloggers, remote access trojans) to custom backdoors. -narrative: Detecting malicious Inno Setup-based loaders involves identifying deviations from typical installer behavior. While legitimate Inno Setup binaries follow predictable installation patterns, malicious variants exhibit suspicious child process activity—such as launching cmd.exe, powershell.exe, or performing in-memory execution without dropping a visible payload. Analysts may observe payloads being written to temporary directories like %APPDATA%, %TEMP%, or %ProgramData%, followed by obfuscated execution mechanisms. Static analysis of the installer may reveal high-entropy sections, encrypted blobs, or anomalous script content embedded in the setup script. Behavioral analysis through EDR or sandboxing can further expose delayed execution, anti-VM logic, or environment fingerprinting techniques. Threat intelligence correlations—such as hashes, command-and-control domains, or loader-specific strings—can assist in clustering related loader campaigns. Detecting these loaders early is crucial, as they often serve as the initial access vector in multi-stage infection chains, enabling more severe intrusions or ransomware deployment. +description: | + Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious Inno Setup-based loaders include monitoring unexpected process trees, script execution, and memory injection patterns originating from installer executables. Inno Setup is a widely used legitimate packaging tool, but its popularity and flexibility make it an attractive vehicle for malware delivery. Malicious actors abuse this framework to create installers that appear benign while hiding and executing embedded payloads. These loaders typically drop encrypted or obfuscated binaries to disk or inject them directly into memory without user consent. These components are typically executed via scripting (e.g., embedded PowerShell, VBScript) or injected directly into memory using process injection techniques like Process Hollowing, Thread Hijacking, or DLL Side-Loading. Some loaders include anti-analysis features such as sandbox evasion, VM detection, or delaying execution to avoid early sandbox detection. Their payloads can range from commodity malware (infostealers, keyloggers, remote access trojans) to custom backdoors. +narrative: | + Detecting malicious Inno Setup-based loaders involves identifying deviations from typical installer behavior. While legitimate Inno Setup binaries follow predictable installation patterns, malicious variants exhibit suspicious child process activity—such as launching cmd.exe, powershell.exe, or performing in-memory execution without dropping a visible payload. Analysts may observe payloads being written to temporary directories like %APPDATA%, %TEMP%, or %ProgramData%, followed by obfuscated execution mechanisms. Static analysis of the installer may reveal high-entropy sections, encrypted blobs, or anomalous script content embedded in the setup script. Behavioral analysis through EDR or sandboxing can further expose delayed execution, anti-VM logic, or environment fingerprinting techniques. Threat intelligence correlations—such as hashes, command-and-control domains, or loader-specific strings—can assist in clustering related loader campaigns. Detecting these loaders early is crucial, as they often serve as the initial access vector in multi-stage infection chains, enabling more severe intrusions or ransomware deployment. references: -- https://x.com/Unit42_Intel/status/1919418143476199869 -- https://www.esentire.com/blog/d3f-ck-loader-the-new-maas-loader -- https://tria.ge/241129-lgghqaxqgz + - https://x.com/Unit42_Intel/status/1919418143476199869 + - https://www.esentire.com/blog/d3f-ck-loader-the-new-maas-loader + - https://tria.ge/241129-lgghqaxqgz tags: category: - Malware @@ -17,4 +19,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - usecase: Advanced Threat Detection \ No newline at end of file + usecase: Advanced Threat Detection