diff --git a/data_sources/sysmon_eventid_29.yml b/data_sources/sysmon_eventid_29.yml new file mode 100644 index 0000000000..f6e76fbb20 --- /dev/null +++ b/data_sources/sysmon_eventid_29.yml @@ -0,0 +1,62 @@ +name: Sysmon EventID 29 +id: 06c61e04-2d07-4e85-bcd5-8110938b1b18 +version: 1 +date: '2025-11-14' +author: Teoderick Contreras, Splunk +description: Data source object for Sysmon EventID 29 +source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +sourcetype: XmlWinEventLog +separator: EventID +configuration: https://github.com/SwiftOnSecurity/sysmon-config +supported_TA: +- name: Splunk Add-on for Sysmon + url: https://splunkbase.splunk.com/app/5709 + version: 5.0.0 +fields: +- _time +- action +- dest +- dvc +- Image +- EventID +- EventCode +- event_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- User +- UserID +- TargetFilename +- process_id +- ProcessID +- Hashes +- EventRecordID +- Keywords +- Channel +- IMPHASH +- file_hash +- file_name +- file_path +- severity +- signature +- signature_id +- user +- user_id +- SecurityID +- process_guid +output_fields: +- Image +- file_name +- file_path +- process_guid +- file_hash +- process_id +- dest +- user +- EventCode +example_log: 29542900x80000000000000003374716Microsoft-Windows-Sysmon/Operationalar-win-dc-2025-11-14 10:09:37.697{CA8A6768-FFA9-6916-9303-000000000304}1436AR-WIN-DC\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\lScun7w.docxMD5=1E6E804CA71EAF5BEF0ABEF95C578CF0,SHA256=6FFE12CDFE0A36DEC4B4A40ECDAFB4097B1AF7C340B0FCECF9F5C67B7FA8B299,IMPHASH=2C4D798BB87EC57193B7625C4259DA43 diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 90bd77b1a4..2af3ea7744 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: 11 -date: '2025-10-01' +version: 12 +date: '2025-11-20' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: TTP @@ -93,6 +93,7 @@ tags: - WhisperGate - Windows Defense Evasion Tactics - Crypto Stealer + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.001 @@ -106,4 +107,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index 86635b0ab5..eedfdc407b 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -1,7 +1,7 @@ name: Allow Inbound Traffic In Firewall Rule id: a5d85486-b89c-11eb-8267-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -53,6 +53,7 @@ rba: tags: analytic_story: - Prohibited Traffic Allowed or Protocol Mismatch + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1021.001 @@ -66,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index d924662ab3..210f6e6ac4 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: 15 -date: '2025-09-18' +version: 16 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: TTP @@ -89,6 +89,7 @@ tags: - Suspicious MSHTA Activity - XWorm - Cisco Network Visibility Module Analytics + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1218.005 @@ -107,4 +108,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log source: not_applicable - sourcetype: cisco:nvm:flowdata + sourcetype: cisco:nvm:flowdata \ No newline at end of file diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 9fc01db421..29f6603e85 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 16 -date: '2025-10-14' +version: 17 +date: '2025-11-20' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -69,6 +69,7 @@ tags: - RedLine Stealer - Cactus Ransomware - Scattered Lapsus$ Hunters + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.001 @@ -82,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index 17bca46e5a..9d4d09e581 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -1,7 +1,7 @@ name: Domain Controller Discovery with Nltest id: 41243735-89a7-4c83-bcdd-570aa78f00a1 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-11-20' author: Mauricio Velazco, Splunk status: production type: TTP @@ -66,6 +66,7 @@ tags: - Medusa Ransomware - BlackSuit Ransomware - Rhysida Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1018 @@ -79,4 +80,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 9730c57221..e4b4e5f543 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,7 +1,7 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 8 -date: '2025-06-17' +version: 9 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,6 +76,7 @@ tags: - Crypto Stealer - XMRig - Defense Evasion or Unauthorized Access Via SDDL Tampering + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1222 @@ -89,4 +90,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 6cc8b47857..4fbbbd6a2d 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,7 +1,7 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 13 -date: '2025-10-20' +version: 14 +date: '2025-11-20' author: Steven Dick status: production type: TTP @@ -143,6 +143,7 @@ tags: - APT37 Rustonotto and FadeStealer - GhostRedirector IIS Module and Rungan Backdoor - Hellcat Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1105 @@ -158,4 +159,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index 0e6f0af6eb..c1f7bffde2 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -1,7 +1,7 @@ name: Ntdsutil Export NTDS id: da63bc76-61ae-11eb-ae93-0242ac130002 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-11-20' author: Michael Haag, Patrick Bareiss, Splunk status: production type: TTP @@ -72,6 +72,7 @@ tags: - Prestige Ransomware - Volt Typhoon - Rhysida Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1003.003 @@ -85,4 +86,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index d3c70a4196..d8af1336b1 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 14 -date: '2025-10-24' +version: 15 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: TTP @@ -68,6 +68,7 @@ tags: - GhostRedirector IIS Module and Rungan Backdoor - Hellcat Ransomware - Microsoft WSUS CVE-2025-59287 + - NetSupport RMM Tool Abuse mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index 618d8d0481..d04bb38d72 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,7 +1,7 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -61,6 +61,7 @@ tags: - Data Destruction - WhisperGate - Warzone RAT + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.001 @@ -74,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 75df6a4b29..37148fc31f 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 26 -date: '2025-09-18' +version: 27 +date: '2025-11-20' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -117,6 +117,7 @@ tags: - Interlock Ransomware - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index f8eb4443af..2d34e4cdea 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 21 -date: '2025-09-30' +version: 22 +date: '2025-11-20' author: Bhavin Patel, Splunk status: production type: TTP @@ -107,6 +107,7 @@ tags: - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer - Lokibot + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 8f0eab66a2..58fc0587f8 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 16 -date: '2025-09-30' +version: 17 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: Anomaly @@ -90,6 +90,7 @@ tags: - Scattered Spider - APT37 Rustonotto and FadeStealer - Lokibot + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 7c21b91cb4..dd7f00d69d 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 11 -date: '2025-08-27' +version: 12 +date: '2025-11-20' author: Patrick Bareiss, Splunk status: production type: TTP @@ -83,6 +83,7 @@ tags: - Cleo File Transfer Software - Interlock Ransomware - LAMEHUG + - NetSupport RMM Tool Abuse asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml index ae308eeb3e..3b528302de 100644 --- a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml +++ b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml @@ -1,7 +1,7 @@ name: Windows Cabinet File Extraction Via Expand id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f -version: 1 -date: '2025-09-18' +version: 2 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: TTP @@ -61,12 +61,13 @@ rba: - field: user type: system score: 30 - threat_objects: + threat_objects: - field: process_name type: process_name tags: analytic_story: - APT37 Rustonotto and FadeStealer + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1105 @@ -78,7 +79,8 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/expand_windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index a1fe9b0bfe..55b0c9e7fa 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Creation id: c0c5a479-bf57-4ca0-af3a-4c7081e5ba05 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -65,6 +65,7 @@ tags: analytic_story: - Compromised Windows Host - DarkGate Malware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1555 @@ -78,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index eb743fc008..b2d7e2d8b9 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -64,6 +64,7 @@ tags: analytic_story: - Compromised Windows Host - DarkGate Malware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1555 @@ -77,4 +78,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 24cb33a13b..4c09031f0e 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Query id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -68,6 +68,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - DarkGate Malware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1555 @@ -81,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 40599d131e..808f565d25 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: '12' -date: '2025-05-06' +version: 13 +date: '2025-11-20' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -65,6 +65,7 @@ tags: - Azorult - Warzone RAT - Windows Defense Evasion Tactics + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.001 @@ -78,4 +79,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml new file mode 100644 index 0000000000..776149946c --- /dev/null +++ b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml @@ -0,0 +1,73 @@ +name: Windows Executable Masquerading as Benign File Types +id: 0470c8e7-dd8d-420f-8302-073e8a2b66f0 +version: 1 +date: '2025-11-20' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: | + The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png). +data_source: +- Sysmon EventID 29 +search: | + `sysmon` + EventCode=29 + NOT `executable_extensions` + | stats count min(_time) as firstTime max(_time) as lastTime + by Image file_name file_path process_guid file_hash process_id dest user EventCode + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_executable_masquerading_as_benign_file_types_filter` +how_to_implement: | + To implement Sysmon EventCode 29 (File Block Executable), you must ensure that your Sysmon deployment is configured to log instances where executable file creation is blocked based on your organization's FileBlockExecutable rules. Once enabled, the corresponding Splunk search requires Sysmon operational logs and an input macro named sysmon, which should be customized to match your environment-specific index, source, and sourcetype settings for Windows Sysmon data. We strongly recommend replacing this macro with values appropriate to your Splunk environment so the search scopes correctly. The search also uses a post-filter macro designed to filter out known false positives. +known_false_positives: | + File types that are not included in the filter for this detection may generate false positives, so proper filtering is required. +references: + - https://www.linkedin.com/posts/mauricefielenbach_cybersecurity-incidentresponse-dfir-activity-7394805779448418304-g0gZ?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAuFTjIB5weY_kcyu4qp3kHbI4v49tO0zEk + - https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/ + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A valid Windows PE executable $file_name$ located in $file_path$ was dropped on $dest$, disguised as a non-executable file type. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: Image + type: process + - field: file_name + type: file_name + - field: file_path + type: file_path +tags: + analytic_story: + - NetSupport RMM Tool Abuse + asset_type: Endpoint + mitre_attack_id: + - T1036.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.008/masquerading_executable_as_non_exec_file_type/non_exec_ext_but_exec_detected.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index bec65dffb8..f9dca6c7d7 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Enable ReadOnly Permissions id: 1ae407b0-a042-4eb0-834a-590da055575e -version: 3 -date: '2025-05-02' +version: 4 +date: '2025-11-20' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 @@ -69,6 +69,7 @@ rba: tags: analytic_story: - Crypto Stealer + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1222.001 @@ -82,4 +83,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml index defdc40372..4ade529f48 100644 --- a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml +++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Permissions Enable Inheritance id: 0247f90a-aca4-47b2-a94d-e30f445d7b41 -version: 3 -date: '2025-05-02' +version: 4 +date: '2025-11-20' author: Teoderick Contreras, Splunk type: Hunting status: production @@ -56,6 +56,7 @@ drilldown_searches: tags: analytic_story: - Crypto Stealer + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1222.001 @@ -69,4 +70,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_process_1.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index c78e72b593..9f0bc730d1 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows File Download Via PowerShell id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de -version: 4 -date: '2025-10-24' +version: 5 +date: '2025-11-20' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -105,6 +105,7 @@ tags: - HAFNIUM Group - XWorm - Cisco Network Visibility Module Analytics + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1059.001 @@ -124,4 +125,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log source: not_applicable - sourcetype: cisco:nvm:flowdata + sourcetype: cisco:nvm:flowdata \ No newline at end of file diff --git a/detections/endpoint/windows_firewall_rule_added.yml b/detections/endpoint/windows_firewall_rule_added.yml index 557d683043..6f9020278a 100644 --- a/detections/endpoint/windows_firewall_rule_added.yml +++ b/detections/endpoint/windows_firewall_rule_added.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Added id: efc25501-4e75-4075-8cc5-ac80f2847d80 -version: 2 -date: '2025-05-02' +version: 3 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,6 +41,7 @@ tags: analytic_story: - ShrinkLocker - Medusa Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.004 @@ -54,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_firewall_rule_deletion.yml b/detections/endpoint/windows_firewall_rule_deletion.yml index d2202a7da2..2fd0be6049 100644 --- a/detections/endpoint/windows_firewall_rule_deletion.yml +++ b/detections/endpoint/windows_firewall_rule_deletion.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Deletion id: ca5327e1-0a91-4e23-bbd4-8901806c00e1 -version: 2 -date: '2025-05-02' +version: 3 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,6 +41,7 @@ tags: analytic_story: - ShrinkLocker - Medusa Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.004 diff --git a/detections/endpoint/windows_firewall_rule_modification.yml b/detections/endpoint/windows_firewall_rule_modification.yml index bbd296a2ba..b0cf532310 100644 --- a/detections/endpoint/windows_firewall_rule_modification.yml +++ b/detections/endpoint/windows_firewall_rule_modification.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Modification id: fe7efbf7-5f82-44b9-8c33-316189ab2393 -version: 2 -date: '2025-05-02' +version: 3 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,6 +41,7 @@ tags: analytic_story: - ShrinkLocker - Medusa Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1562.004 @@ -54,4 +55,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 78cae05867..ef9671bf14 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Delete Firewall Rules id: 41c61539-98ca-4750-b3ec-7c29a2f06343 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-11-20' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 @@ -59,6 +59,7 @@ tags: analytic_story: - ShrinkLocker - CISA AA24-241A + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1112 @@ -72,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 05b396733f..f246eea266 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-11-20' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -62,6 +62,7 @@ tags: analytic_story: - ShrinkLocker - CISA AA24-241A + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1112 @@ -75,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml new file mode 100644 index 0000000000..be3ce8eec2 --- /dev/null +++ b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml @@ -0,0 +1,86 @@ +name: Windows NetSupport RMM DLL Loaded By Uncommon Process +id: 125f96f9-6f34-418b-b868-c4a8d7fb865f +version: 1 +date: '2025-11-20' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: | + The following analytic detects the loading of specific dynamic-link libraries (DLLs) associated with the NetSupport Remote Manager (RMM) tool by any process on a Windows system. + Modules such as CryptPak.dll, HTCTL32.DLL, IPCTL32.DLL, keyshowhook.dll, pcicapi.DLL, PCICL32.DLL, and TCCTL32.DLL, are integral to NetSupport's functionality. + This detection is particularly valuable when these modules are loaded by processes running from unusual directories (e.g., Downloads, ProgramData, or user-specific folders) rather than the legitimate Program Files installation path, or by executables that have been renamed but retain the internal "client32" identifier. + This helps to identify instances where the legitimate NetSupport tool is being misused by adversaries as a Remote Access Trojan (RAT). +data_source: +- Sysmon EventID 7 +search: | + `sysmon` + EventCode=7 + ImageLoaded IN ( + "*\\CryptPak.dll", + "*\\HTCTL32.DLL", + "*\\pcicapi.dll", + "*\\pcichek.dll", + "*\\PCICL32.DLL", + "*\\TCCTL32.DLL" + ) + NOT Image IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") + Signature = "NetSupport Ltd*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec + process_guid process_hash process_id process_name process_path service_dll_signature_exists + service_dll_signature_verified signature signature_id user_id vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_netsupport_rmm_dll_loaded_by_uncommon_process_filter` +how_to_implement: | + To successfully implement this search, you need to be ingesting logs with the process name and ImageLoaded executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: | + NetSupport RMM installations outside of the standard Program Files directory will trigger this detection. + Apply appropriate filters to exclude known legitimate installations. +references: +- https://www.linkedin.com/posts/mauricefielenbach_cybersecurity-incidentresponse-dfir-activity-7394805779448418304-g0gZ?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAuFTjIB5weY_kcyu4qp3kHbI4v49tO0zEk +- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ +- https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The following module $ImageLoaded$ was loaded by a non-standard application + on endpoint $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: + - field: Image + type: process_name +tags: + analytic_story: + - NetSupport RMM Tool Abuse + asset_type: Endpoint + mitre_attack_id: + - T1036 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/netsupport_modules/net_support_module.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml b/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml index 414888f76a..ca62b17265 100644 --- a/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml +++ b/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml @@ -1,7 +1,7 @@ name: Windows PowerShell FakeCAPTCHA Clipboard Execution id: d81d4d3d-76b5-4f21-ab51-b17d5164c106 -version: 4 -date: '2025-10-14' +version: 5 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: TTP @@ -91,6 +91,7 @@ tags: - Fake CAPTCHA Campaigns - Cisco Network Visibility Module Analytics - Interlock Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1059.001 @@ -112,4 +113,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log source: not_applicable - sourcetype: cisco:nvm:flowdata + sourcetype: cisco:nvm:flowdata \ No newline at end of file diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 33cbee3ddd..979846c9f3 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -1,7 +1,7 @@ name: Windows RDP Connection Successful id: ceaed840-56b3-4a70-b8e1-d762b1c5c08c -version: 8 -date: '2025-08-08' +version: 9 +date: '2025-11-20' author: Michael Haag, Splunk status: production type: Hunting @@ -34,6 +34,7 @@ tags: - BlackByte Ransomware - Windows RDP Artifacts and Defense Evasion - Interlock Ransomware + - NetSupport RMM Tool Abuse asset_type: Endpoint atomic_guid: [] mitre_attack_id: diff --git a/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml new file mode 100644 index 0000000000..8966e273a7 --- /dev/null +++ b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml @@ -0,0 +1,69 @@ +name: Windows RunMRU Registry Key or Value Deleted +id: e651795f-b2c9-4a84-a18a-b901018a3bfa +version: 1 +date: '2025-11-20' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor. +data_source: +- Sysmon EventID 12 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry + where Registry.registry_path = "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.action = deleted + by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name + Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type + Registry.status Registry.user Registry.vendor_product + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_runmru_registry_key_or_value_deleted_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: This event can be seen when administrator delete a history manually + or uninstall/reinstall a software that creates MRU registry entry. It is recommended + to check this alert with high priority. +references: +- https://www.linkedin.com/posts/mauricefielenbach_cybersecurity-incidentresponse-dfir-activity-7394805779448418304-g0gZ?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAuFTjIB5weY_kcyu4qp3kHbI4v49tO0zEk +- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ +- https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A most recent used entry was deleted on $dest$ within the Windows registry. + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: [] +tags: + analytic_story: + - NetSupport RMM Tool Abuse + asset_type: Endpoint + mitre_attack_id: + - T1112 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/delete_runmru_reg/runmru_deletion.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 00f8632a88..90e991fb8f 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 11 -date: '2025-10-31' +version: 12 +date: '2025-11-20' author: Teoderick Contreras, Splunk status: production type: TTP @@ -75,6 +75,7 @@ tags: - RedLine Stealer - Compromised Windows Host - Castle RAT + - NetSupport RMM Tool Abuse asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/macros/executable_extensions.yml b/macros/executable_extensions.yml new file mode 100644 index 0000000000..2cb1c0af9f --- /dev/null +++ b/macros/executable_extensions.yml @@ -0,0 +1,3 @@ +definition: (TargetFilename IN ("*.exe", "*.dll", "*.sys", "*.ocx", "*.scr", "*.cpl", "*.efi", "*.drv", "*.bpl", "*.ax", "*.ime", "*.acm", "*.rll", "*.tsp")) +description: matches known executable file extension +name: executable_extensions diff --git a/stories/netsupport_rmm_tool_abuse.yml b/stories/netsupport_rmm_tool_abuse.yml new file mode 100644 index 0000000000..14fa0653b8 --- /dev/null +++ b/stories/netsupport_rmm_tool_abuse.yml @@ -0,0 +1,20 @@ +name: NetSupport RMM Tool Abuse +id: 423cb98f-bd3d-4d82-925d-573897fc0d2f +version: 1 +date: '2025-11-14' +author: Teoderick Contreras, Splunk +status: production +description: Detection analytics for the NetSupport Remote Manager Tool primarily focus on identifying its misuse, as it's a legitimate tool often leveraged by adversaries. Endpoint detection involves flagging the client32.exe executable running from unusual directories like Downloads or ProgramData instead of its standard Program Files location. Suspicious activity also encompasses renamed binaries with the internal name "client32" communicating with netsupportsoftware.com, or unauthenticated remote control sessions. Furthermore, monitoring for PowerShell execution associated with NetSupport Manager can reveal malicious deployment. These analytics help distinguish legitimate remote support from potential unauthorized access. +narrative: NetSupport Manager, a legitimate remote access tool, often finds itself weaponized by adversaries, transforming into a Remote Access Trojan (RAT) for covert access. The narrative of its detection begins by understanding this duality while IT teams use it for benign support, threat actors exploit its capabilities, often via phishing or fake updates, to gain unauthorized control. The tell-tale signs emerge when this legitimate tool operates outside its normal parameters. For instance, observing client32.exe running from unusual directories like Downloads or ProgramData, rather than its secure Program Files location, immediately raises a red flag. Similarly, the presence of clear-text HTTP traffic containing CMD=ENCD commands, instead of the expected secure HTTPS, signals malicious intent. Furthermore, renamed binaries still internally identifying as "client32" communicating with netsupportsoftware.com, or unauthenticated remote control sessions, paint a clear picture of abuse. These anomalies, coupled with suspicious PowerShell execution, allow detection analytics to differentiate legitimate remote assistance from a stealthy intrusion, enabling defenders to uncover the adversary's presence +references: + - https://www.linkedin.com/posts/mauricefielenbach_cybersecurity-incidentresponse-dfir-activity-7394805779448418304-g0gZ?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAuFTjIB5weY_kcyu4qp3kHbI4v49tO0zEk + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection