splunk · patel-bhavin · Sep 4, 2025 · Aug 14, 2025 · Aug 14, 2025 · Aug 25, 2025
@@ -0,0 +1,76 @@
+name: Windows Certutil Root Certificate Addition
+id: e9926391-ec0c-4bad-8a95-e450dbf6aae4
+version: 1
+date: '2025-08-06'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the -addstore root command. In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%), which is highly suspicious and uncommon in legitimate administrative activity. This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls. The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks. This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.You should monitor when new certificates are added to the root store because this store is what your system uses to decide which websites, apps, and software can be trusted. If an attacker manages to add their own certificate there, they can silently intercept encrypted traffic, impersonate trusted websites, or make malicious programs look safe. This means they could steal sensitive data, bypass security tools, and keep access to your system even after other malware is removed. In simple terms, adding a rogue root certificate gives attackers a master key to your trust system — and if it goes unnoticed, the impact could be a complete compromise of your security.
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
+  as process max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where `process_certutil` Processes.process=*-addstore* Processes.process=*root*
+  by Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product 
+  | `drop_dm_object_name("Processes")`
+  | `security_content_ctime(firstTime)` 
+  |`security_content_ctime(lastTime)` 
+  | `windows_certutil_root_certificate_addition_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: administrator may use certutil to add a root certificate to the store.
+  Filter as needed or restrict to critical assets on the perimeter.
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A certificate was added to the Root certificate store by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+tags:
+  analytic_story:
+  - Secret Blizzard
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1587.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,66 @@
+name: Windows Set Private Network Profile via Registry
+id: a277acde-9bfd-4edb-b201-7cfc504003e2
+version: 1
+date: '2025-08-06'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects attempts to modify the Windows Registry to change a network profile's category to "Private", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification—especially outside standard IT processes or correlated with persistence mechanisms—can help identify stealthy post-exploitation activity.
+data_source:
+  - Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
+  WHERE (Registry.registry_value_name= "Category" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles*") Registry.registry_value_data = 0x00000000
+  by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `windows_set_private_network_profile_via_registry_filter`'
+how_to_implement:
+  To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure
+  that this registry was included in your config files ex. sysmon config to be monitored.
+known_false_positives:
+  Administrators may enable or disable this feature that may
+  cause some false positive, however is not common. Filter as needed.
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
+drilldown_searches:
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: A registry modification that set network profile to private on [$dest$]
+  risk_objects:
+  - field: dest
+    type: system
+    score: 40
+  threat_objects: []
+tags:
+  analytic_story:
+  - Secret Blizzard
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1112
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,18 @@
+name: Secret Blizzard
+id: 4027c5cc-e9df-49df-b824-be51c1e1e13a
+version: 1
+status: production
+date: '2025-08-05'
+author: Teoderick Contreras, Splunk
+description: Detects suspicious use of captive portal redirection chains abusing msftconnecttest.com/redirect, particularly during network sign-in events. Look for anomalous HTTP GET requests to domains mimicking certificate authorities (e.g., fake Digicert or Kaspersky-related hosts). Flag user execution of CertificateDB.exe, which may request elevated privileges and install unauthorized custom root certificates. Monitor for persistence tactics such as creation of hidden local admin accounts, modification of firewall or network profile settings, and DLL sideloading involving oci.dll or duser.dll. Additional indicators include encoded metadata in DNS queries, exfiltration over DNS, or encrypted communications to suspicious or newly registered domains, suggesting command-and-control activity. These behaviors may indicate adversary-in-the-middle (AiTM) interception by a capable, nation-state actor.
+narrative: In early February 2025, Microsoft Threat Intelligence uncovered a sophisticated adversary-in-the-middle (AiTM) campaign by the Russian state-linked APT group Secret Blizzard (also known as Turla or Venomous Bear), targeting diplomatic entities operating in Moscow. The attackers hijacked Windows network connectivity checks to msftconnecttest.com/redirect by exploiting captive portal redirection techniques—likely through compromised or manipulated local ISP infrastructure. Victims were redirected to a fake network sign-in page prompting the download of CertificateDB.exe, disguised as a legitimate security application. Upon execution, the malware installed a rogue root certificate, adjusted firewall rules, created hidden local administrator accounts, and enabled TLS interception. Exfiltration occurred via DNS queries and encrypted traffic to attacker-controlled domains. This campaign marks a significant escalation in domestic ISP-level surveillance, enabling credential theft and encrypted traffic inspection against foreign diplomats—highlighting the evolving scope of nation-state cyber-espionage inside Russian borders.
+references: 
+- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection