diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index ef0bbe5a17..3eea9a53bc 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -1,17 +1,18 @@ name: Access LSASS Memory for Dump Creation id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-09-30' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects attempts to dump the LSASS process memory, - a common technique in credential dumping attacks. It leverages Sysmon logs, specifically - EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll - associated with lsass.exe. This activity is significant as it often precedes the - theft of sensitive login credentials, posing a high risk of unauthorized access - to systems and data. If confirmed malicious, attackers could gain access to critical - credentials, enabling further compromise and lateral movement within the network. +description: The following analytic detects attempts to dump the LSASS process + memory, a common technique in credential dumping attacks. It leverages Sysmon + logs, specifically EventCode 10, to identify suspicious call traces to + dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is + significant as it often precedes the theft of sensitive login credentials, + posing a high risk of unauthorized access to systems and data. If confirmed + malicious, attackers could gain access to critical credentials, enabling + further compromise and lateral movement within the network. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* @@ -22,14 +23,15 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`' -how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which - includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. - We strongly recommend that you specify your environment-specific configurations - (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition - with configurations for your Splunk environment. The search also uses a post-filter - macro designed to filter out known false positives. -known_false_positives: Administrators can create memory dumps for debugging purposes, - but memory dumps of the LSASS process would be unusual. +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, + which includes EventCode 10 for lsass.exe. This search uses an input macro + named `sysmon`. We strongly recommend that you specify your + environment-specific configurations (index, source, sourcetype, etc.) for + Windows Sysmon logs. Replace the macro definition with configurations for your + Splunk environment. The search also uses a post-filter macro designed to + filter out known false positives. +known_false_positives: Administrators can create memory dumps for debugging + purposes, but memory dumps of the LSASS process would be unusual. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: @@ -47,10 +49,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: process $SourceImage$ injected into $TargetImage$ and was attempted dump - LSASS on $dest$. Adversaries tend to do this when trying to accesss credential - material stored in the process memory of the Local Security Authority Subsystem - Service (LSASS). + message: process $SourceImage$ injected into $TargetImage$ and was attempted + dump LSASS on $dest$. Adversaries tend to do this when trying to accesss + credential material stored in the process memory of the Local Security + Authority Subsystem Service (LSASS). risk_objects: - field: dest type: system @@ -63,6 +65,7 @@ tags: - CISA AA23-347A - Credential Dumping - Cactus Ransomware + - Lokibot asset_type: Windows mitre_attack_id: - T1003.001 @@ -74,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 275f8de082..1a45c6f416 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -1,18 +1,19 @@ name: Create Remote Thread into LSASS id: 67d4dbef-9564-4699-8da8-03a151529edc -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-30' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects the creation of a remote thread in the - Local Security Authority Subsystem Service (LSASS). This behavior is identified - using Sysmon EventID 8 logs, focusing on processes that create remote threads in - lsass.exe. This activity is significant because it is commonly associated with credential - dumping, a tactic used by adversaries to steal user authentication credentials. - If confirmed malicious, this could allow attackers to gain unauthorized access to - sensitive information, leading to potential compromise of the entire network. Analysts - should investigate to differentiate between legitimate tools and potential threats. +description: The following analytic detects the creation of a remote thread in + the Local Security Authority Subsystem Service (LSASS). This behavior is + identified using Sysmon EventID 8 logs, focusing on processes that create + remote threads in lsass.exe. This activity is significant because it is + commonly associated with credential dumping, a tactic used by adversaries to + steal user authentication credentials. If confirmed malicious, this could + allow attackers to gain unauthorized access to sensitive information, leading + to potential compromise of the entire network. Analysts should investigate to + differentiate between legitimate tools and potential threats. data_source: - Sysmon EventID 8 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime @@ -22,14 +23,16 @@ search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as f parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`' -how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, which - includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. - We strongly recommend that you specify your environment-specific configurations - (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition - with configurations for your Splunk environment. The search also uses a post-filter - macro designed to filter out known false positives. -known_false_positives: Other tools can access LSASS for legitimate reasons and generate - an event. In these cases, tweaking the search may help eliminate noise. +how_to_implement: This search needs Sysmon Logs with a Sysmon configuration, + which includes EventCode 8 with lsass.exe. This search uses an input macro + named `sysmon`. We strongly recommend that you specify your + environment-specific configurations (index, source, sourcetype, etc.) for + Windows Sysmon logs. Replace the macro definition with configurations for your + Splunk environment. The search also uses a post-filter macro designed to + filter out known false positives. +known_false_positives: Other tools can access LSASS for legitimate reasons and + generate an event. In these cases, tweaking the search may help eliminate + noise. references: - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf drilldown_searches: @@ -47,8 +50,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A process has created a remote thread into $TargetImage$ on $dest$. This - behavior is indicative of credential dumping and should be investigated. + message: A process has created a remote thread into $TargetImage$ on $dest$. + This behavior is indicative of credential dumping and should be + investigated. risk_objects: - field: dest type: system @@ -60,6 +64,7 @@ tags: analytic_story: - Credential Dumping - BlackSuit Ransomware + - Lokibot asset_type: Windows mitre_attack_id: - T1003.001 @@ -71,6 +76,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 29e9e7c7c3..0a262bd07a 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -1,18 +1,19 @@ name: Detect Credential Dumping through LSASS access id: 2c365e57-4414-4540-8dc0-73ab10729996 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-30' author: Patrick Bareiss, Splunk status: production type: TTP -description: The following analytic detects attempts to read LSASS memory, indicative - of credential dumping. It leverages Sysmon EventCode 10, filtering for specific - access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is - significant because it suggests an attacker is trying to extract credentials from - LSASS memory, potentially leading to unauthorized access, data breaches, and compromise - of sensitive information. If confirmed malicious, this could enable attackers to - escalate privileges, move laterally within the network, or exfiltrate data. Extensive - triage is necessary to differentiate between malicious and benign activities. +description: The following analytic detects attempts to read LSASS memory, + indicative of credential dumping. It leverages Sysmon EventCode 10, filtering + for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. + This activity is significant because it suggests an attacker is trying to + extract credentials from LSASS memory, potentially leading to unauthorized + access, data breaches, and compromise of sensitive information. If confirmed + malicious, this could enable attackers to escalate privileges, move laterally + within the network, or exfiltrate data. Extensive triage is necessary to + differentiate between malicious and benign activities. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) @@ -23,16 +24,17 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR G process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`' -how_to_implement: This search needs Sysmon Logs and a sysmon configuration, which - includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. - We strongly recommend that you specify your environment-specific configurations - (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition - with configurations for your Splunk environment. The search also uses a post-filter - macro designed to filter out known false positives. -known_false_positives: The activity may be legitimate. Other tools can access lsass - for legitimate reasons, and it's possible this event could be generated in those - cases. In these cases, false positives should be fairly obvious and you may need - to tweak the search to eliminate noise. +how_to_implement: This search needs Sysmon Logs and a sysmon configuration, + which includes EventCode 10 with lsass.exe. This search uses an input macro + named `sysmon`. We strongly recommend that you specify your + environment-specific configurations (index, source, sourcetype, etc.) for + Windows Sysmon logs. Replace the macro definition with configurations for your + Splunk environment. The search also uses a post-filter macro designed to + filter out known false positives. +known_false_positives: The activity may be legitimate. Other tools can access + lsass for legitimate reasons, and it's possible this event could be generated + in those cases. In these cases, false positives should be fairly obvious and + you may need to tweak the search to eliminate noise. references: [] drilldown_searches: - name: View the detection results for - "$dest$" and "$TargetImage$" @@ -49,8 +51,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: The $SourceImage$ has attempted access to read $TargetImage$ was identified - on endpoint $dest$, this is indicative of credential dumping and should be investigated. + message: The $SourceImage$ has attempted access to read $TargetImage$ was + identified on endpoint $dest$, this is indicative of credential dumping and + should be investigated. risk_objects: - field: dest type: system @@ -62,6 +65,7 @@ tags: - CISA AA23-347A - Credential Dumping - BlackSuit Ransomware + - Lokibot asset_type: Windows mitre_attack_id: - T1003.001 @@ -73,6 +77,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 16808f44ae..238c571311 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 version: 19 -date: '2025-09-16' +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -116,6 +116,7 @@ tags: - NailaoLocker Ransomware - PromptLock - GhostRedirector IIS Module and Rungan Backdoor + - Lokibot asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index cb9a3b1c84..4c3ba843bc 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 version: 16 -date: '2025-09-10' +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -107,6 +107,7 @@ tags: - IcedID - Interlock Rat - PromptLock + - Lokibot asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 900be3ad2d..e0c71a3216 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,18 +1,19 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 12 -date: '2025-07-16' +version: 13 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects a non-Chrome process accessing files in - the Chrome user default folder. It leverages Windows Security Event logs, specifically - event code 4663, to identify unauthorized access attempts. This activity is significant - because the Chrome default folder contains sensitive user data such as login credentials, - browsing history, and cookies. If confirmed malicious, this behavior could indicate - an attempt to exfiltrate sensitive information, often associated with RATs, trojans, - and advanced persistent threats like FIN7. Such access could lead to data theft - and further compromise of the affected system. +description: The following analytic detects a non-Chrome process accessing files + in the Chrome user default folder. It leverages Windows Security Event logs, + specifically event code 4663, to identify unauthorized access attempts. This + activity is significant because the Chrome default folder contains sensitive + user data such as login credentials, browsing history, and cookies. If + confirmed malicious, this behavior could indicate an attempt to exfiltrate + sensitive information, often associated with RATs, trojans, and advanced + persistent threats like FIN7. Such access could lead to data theft and further + compromise of the affected system. data_source: - Windows Event Log Security 4663 search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.exe", @@ -20,11 +21,12 @@ search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\chrome.e Data\\Default*" | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `non_chrome_process_accessing_chrome_default_dir_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security - Event logs and track event code 4663. For 4663, enable "Audit Object Access" in - Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: other browser not listed related to chrome may catch by this - rule. +how_to_implement: To successfully implement this search, you must ingest Windows + Security Event logs and track event code 4663. For 4663, enable "Audit Object + Access" in Group Policy. Then check the two boxes listed for both "Success" + and "Failure." +known_false_positives: other browser not listed related to chrome may catch by + this rule. references: [] drilldown_searches: - name: View the detection results for - "$dest$" @@ -65,6 +67,7 @@ tags: - RedLine Stealer - Snake Keylogger - China-Nexus Threat Activity + - Lokibot asset_type: Endpoint mitre_attack_id: - T1555.003 @@ -76,6 +79,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 17da161de9..7d28cfcb3d 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 12 -date: '2025-08-22' +version: 13 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -68,6 +68,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 273044c950..1d852d8c58 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 20 -date: '2025-08-22' +version: 21 +date: '2025-09-30' author: Bhavin Patel, Splunk status: production type: TTP @@ -105,6 +105,7 @@ tags: - MoonPeak - Scattered Spider - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index 3e276a5281..0086ae3049 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -1,17 +1,18 @@ name: Sqlite Module In Temp Folder id: 0f216a38-f45f-11eb-b09c-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of sqlite3.dll files in the - %temp% folder. It leverages Sysmon EventCode 11 to identify when these files are - written to the temporary directory. This activity is significant because it is associated - with IcedID malware, which uses the sqlite3 module to parse browser databases and - steal sensitive information such as banking details, credit card information, and - credentials. If confirmed malicious, this behavior could lead to significant data - theft and compromise of user accounts. +description: The following analytic detects the creation of sqlite3.dll files in + the %temp% folder. It leverages Sysmon EventCode 11 to identify when these + files are written to the temporary directory. This activity is significant + because it is associated with IcedID malware, which uses the sqlite3 module to + parse browser databases and steal sensitive information such as banking + details, credit card information, and credentials. If confirmed malicious, + this behavior could lead to significant data theft and compromise of user + accounts. data_source: - Sysmon EventID 11 search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename @@ -19,10 +20,10 @@ search: '`sysmon` EventCode=11 (TargetFilename = "*\\sqlite32.dll" OR TargetFile firstTime max(_time) as lastTime by action dest file_name file_path process_guid process_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name, parent process, and command-line + executions from your endpoints. If you are using Sysmon, you must have at + least version 6.0.4 of the Sysmon TA. known_false_positives: unknown references: - https://www.cisecurity.org/insights/white-papers/security-primer-icedid @@ -50,6 +51,7 @@ rba: tags: analytic_story: - IcedID + - Lokibot asset_type: Endpoint mitre_attack_id: - T1005 @@ -61,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 9cc82b6d47..160ba439a7 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,18 +1,18 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 15 -date: '2025-07-29' +version: 16 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of scheduled tasks that - execute binaries or scripts from public directories, such as users\public, \programdata\, - or \windows\temp, using schtasks.exe with the /create command. It leverages Sysmon - Event ID 1 data to detect this behavior. This activity is significant because it - often indicates an attempt to maintain persistence or execute malicious scripts, - which are common tactics in malware deployment. If confirmed as malicious, this - could lead to data compromise, unauthorized access, and potential lateral movement - within the network. +description: The following analytic identifies the creation of scheduled tasks + that execute binaries or scripts from public directories, such as + users\public, \programdata\, or \windows\temp, using schtasks.exe with the + /create command. It leverages Sysmon Event ID 1 data to detect this behavior. + This activity is significant because it often indicates an attempt to maintain + persistence or execute malicious scripts, which are common tactics in malware + deployment. If confirmed as malicious, this could lead to data compromise, + unauthorized access, and potential lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -28,19 +28,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `suspicious_scheduled_task_from_public_directory_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: The main source of false positives could be the legitimate - use of scheduled tasks from these directories. Careful tuning of this search may - be necessary to suit the specifics of your environment, reducing the rate of false - positives. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: The main source of false positives could be the + legitimate use of scheduled tasks from these directories. Careful tuning of + this search may be necessary to suit the specifics of your environment, + reducing the rate of false positives. references: - https://attack.mitre.org/techniques/T1053/005/ drilldown_searches: @@ -87,6 +88,7 @@ tags: - MoonPeak - China-Nexus Threat Activity - Scattered Spider + - Lokibot asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -98,6 +100,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 18abb11365..2ead02cde6 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 version: 16 -date: '2025-09-16' +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -71,6 +71,7 @@ tags: - Brute Ratel C4 - PathWiper - GhostRedirector IIS Module and Rungan Backdoor + - Lokibot asset_type: Endpoint mitre_attack_id: - T1134.002 diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml index df61b908da..f4187400f8 100644 --- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -1,7 +1,7 @@ name: Windows Chromium Browser with Custom User Data Directory id: 4f546cf4-15aa-4368-80f7-940e92bc551e -version: 1 -date: '2025-05-26' +version: 2 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -32,8 +32,8 @@ how_to_implement: | your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrators may enable or disable this feature that may - cause some false positive. +known_false_positives: Administrators may enable or disable this feature that + may cause some false positive. references: - https://chromium.googlesource.com/chromium/src/+/main/docs/user_data_dir.md drilldown_searches: @@ -51,7 +51,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A chromium process with the --user-data-dir flag was launched on $dest$ by user $user$. + message: A chromium process with the --user-data-dir flag was launched on + $dest$ by user $user$. risk_objects: - field: dest type: system @@ -62,6 +63,7 @@ rba: tags: analytic_story: - Malicious Inno Setup Loader + - Lokibot asset_type: Endpoint mitre_attack_id: - T1497 @@ -73,6 +75,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrom_no_sandbox/chrome-no_sandbox.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrom_no_sandbox/chrome-no_sandbox.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 7ab9ce4d4e..dce541dabf 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 14 -date: '2025-08-22' +version: 15 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -71,6 +71,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 8514277041..dabc4defcb 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 14 -date: '2025-08-22' +version: 15 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -72,6 +72,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml index 144725aaa7..5864257ac2 100644 --- a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml +++ b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml @@ -1,25 +1,36 @@ name: Windows DLL Module Loaded in Temp Dir id: c2998141-235a-4e31-83cf-46afb5208a87 -version: 1 -date: '2025-08-20' +version: 2 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often associated with adversary tradecraft, including DLL search order hijacking, side-loading, or execution of malicious payloads staged in temporary folders. Adversaries frequently leverage these directories because they are writable by standard users and often overlooked by security controls, making them convenient locations to drop and execute malicious files. This behavior may indicate attempts to evade detection, execute unauthorized code, or maintain persistence through hijacked execution flows. Detection of DLL loads from %TEMP% can help surface early signs of compromise and should be investigated in the context of the originating process, user account, and potential file creation or modification activity within the same directory. +description: The following analytic detects instances where a Dynamic Link + Library (DLL) is loaded from a temporary directory on a Windows system. + Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate + applications and is often associated with adversary tradecraft, including DLL + search order hijacking, side-loading, or execution of malicious payloads + staged in temporary folders. Adversaries frequently leverage these directories + because they are writable by standard users and often overlooked by security + controls, making them convenient locations to drop and execute malicious + files. This behavior may indicate attempts to evade detection, execute + unauthorized code, or maintain persistence through hijacked execution flows. + Detection of DLL loads from %TEMP% can help surface early signs of compromise + and should be investigated in the context of the originating process, user + account, and potential file creation or modification activity within the same + directory. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 NOT (ImageLoaded IN("C:\\Program Files*")) AND ImageLoaded="*\\temp\\*" AND ImageLoaded="*.dll" - | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime - by Image ImageLoaded dest loaded_file loaded_file_path original_file_name +search: '`sysmon` EventCode=7 NOT (ImageLoaded IN("C:\\Program Files*")) AND ImageLoaded="*\\temp\\*" + AND ImageLoaded="*.dll" | fillnull | stats count min(_time) as firstTime max(_time) + as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists - service_dll_signature_verified signature signature_id user_id vendor_product - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_dll_module_loaded_in_temp_dir_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name and imageloaded executions from your endpoints. If you - are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_dll_module_loaded_in_temp_dir_filter`' +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name and imageloaded executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of + the Sysmon TA. known_false_positives: unknown references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a @@ -27,6 +38,7 @@ references: tags: analytic_story: - Interlock Rat + - Lokibot asset_type: Endpoint mitre_attack_id: - T1105 @@ -38,6 +50,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/dll_loaded_in_temp/module_loaded_in_temp.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/dll_loaded_in_temp/module_loaded_in_temp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index b8ee578bfc..cf698c4536 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -1,7 +1,7 @@ name: Windows Executable in Loaded Modules id: 3e27af56-fcf0-4113-988d-24969b062be7 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,11 +15,14 @@ description: The following analytic identifies instances where executable files NjRAT, which uses this technique to load malicious modules. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, maintain persistence, and further compromise the host system. -search: '`sysmon` EventCode=7 ImageLoaded= *.exe | fillnull | stats count min(_time) - as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path - original_file_name process_exec process_guid process_hash process_id process_name - process_path service_dll_signature_exists service_dll_signature_verified signature - signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`sysmon` EventCode=7 ImageLoaded != *.dll AND Signed != true + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name + process_path service_dll_signature_exists service_dll_signature_verified signature Signed + signature_id user_id vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_executable_in_loaded_modules_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you @@ -51,6 +54,7 @@ rba: tags: analytic_story: - NjRAT + - Lokibot asset_type: Endpoint mitre_attack_id: - T1129 diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index 120d363d62..ab39fa32cb 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -1,17 +1,18 @@ name: Windows Hunting System Account Targeting Lsass id: 1c6abb08-73d1-11ec-9ca0-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies processes attempting to access Lsass.exe, - which may indicate credential dumping or applications needing credential access. - It leverages Sysmon EventCode 10 to detect such activities by analyzing fields like - TargetImage, GrantedAccess, and SourceImage. This behavior is significant as unauthorized - access to Lsass.exe can lead to credential theft, posing a severe security risk. - If confirmed malicious, attackers could gain access to sensitive credentials, potentially - leading to privilege escalation and further compromise of the environment. +description: The following analytic identifies processes attempting to access + Lsass.exe, which may indicate credential dumping or applications needing + credential access. It leverages Sysmon EventCode 10 to detect such activities + by analyzing fields like TargetImage, GrantedAccess, and SourceImage. This + behavior is significant as unauthorized access to Lsass.exe can lead to + credential theft, posing a severe security risk. If confirmed malicious, + attackers could gain access to sensitive credentials, potentially leading to + privilege escalation and further compromise of the environment. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) as @@ -21,13 +22,14 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe | stats count min(_time) a parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hunting_system_account_targeting_lsass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on GrantedAccess and SourceUser, - filter based on source image as needed. Utilize this hunting analytic to tune out - false positives in TTP or anomaly analytics. +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name, parent process, and command-line + executions from your endpoints. If you are using Sysmon, you must have at + least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess + lsass.exe is required. +known_false_positives: False positives will occur based on GrantedAccess and + SourceUser, filter based on source image as needed. Utilize this hunting + analytic to tune out false positives in TTP or anomaly analytics. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -38,6 +40,7 @@ tags: analytic_story: - CISA AA23-347A - Credential Dumping + - Lokibot asset_type: Endpoint mitre_attack_id: - T1003.001 @@ -49,6 +52,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 04fef33283..c9aaadd355 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -1,18 +1,19 @@ name: Windows Non-System Account Targeting Lsass id: b1ce9a72-73cf-11ec-981b-acde48001122 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-30' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic identifies non-SYSTEM accounts requesting access - to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access - attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM - users. This activity is significant as it may indicate credential dumping attempts - or unauthorized access to sensitive credentials. If confirmed malicious, an attacker - could potentially extract credentials from memory, leading to privilege escalation - or lateral movement within the network. Immediate investigation is required to determine - the legitimacy of the access request and to mitigate any potential threats. +description: The following analytic identifies non-SYSTEM accounts requesting + access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to + monitor access attempts to the Local Security Authority Subsystem Service + (lsass.exe) by non-SYSTEM users. This activity is significant as it may + indicate credential dumping attempts or unauthorized access to sensitive + credentials. If confirmed malicious, an attacker could potentially extract + credentials from memory, leading to privilege escalation or lateral movement + within the network. Immediate investigation is required to determine the + legitimacy of the access request and to mitigate any potential threats. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") @@ -23,12 +24,13 @@ search: '`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHOR process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name, parent process, and command-line executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. Enabling EventCode 10 TargetProcess lsass.exe is required. -known_false_positives: False positives will occur based on legitimate application - requests, filter based on source image as needed. +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name, parent process, and command-line + executions from your endpoints. If you are using Sysmon, you must have at + least version 6.0.4 of the Sysmon TA. Enabling EventCode 10 TargetProcess + lsass.exe is required. +known_false_positives: False positives will occur based on legitimate + application requests, filter based on source image as needed. references: - https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump @@ -50,8 +52,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A process, $parent_process_path$, has loaded $TargetImage$ that are typically - related to credential dumping on $dest$. Review for further details. + message: A process, $parent_process_path$, has loaded $TargetImage$ that are + typically related to credential dumping on $dest$. Review for further + details. risk_objects: - field: user_id type: user @@ -66,6 +69,7 @@ tags: analytic_story: - CISA AA23-347A - Credential Dumping + - Lokibot asset_type: Endpoint mitre_attack_id: - T1003.001 @@ -77,6 +81,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 4237d5d56b..cb7edd4f3d 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 version: 6 -date: '2025-09-10' +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -81,6 +81,7 @@ tags: - Trickbot - PathWiper - PromptLock + - Lokibot asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index f26cc3a4fa..f892f0e89e 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 9 -date: '2025-05-26' +version: 10 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: TTP @@ -9,14 +9,15 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -description: The following analytic detects the creation of scheduled tasks in Windows - using schtasks.exe with the -create flag and an XML parameter. This detection leverages - data from Endpoint Detection and Response (EDR) agents, focusing on command-line - executions and process details. This activity is significant as it is a common technique - for establishing persistence or achieving privilege escalation, often used by malware - like Trickbot and Winter-Vivern. If confirmed malicious, this could allow attackers - to maintain access, execute additional payloads, and potentially lead to data theft - or ransomware deployment. +description: The following analytic detects the creation of scheduled tasks in + Windows using schtasks.exe with the -create flag and an XML parameter. This + detection leverages data from Endpoint Detection and Response (EDR) agents, + focusing on command-line executions and process details. This activity is + significant as it is a common technique for establishing persistence or + achieving privilege escalation, often used by malware like Trickbot and + Winter-Vivern. If confirmed malicious, this could allow attackers to maintain + access, execute additional payloads, and potentially lead to data theft or + ransomware deployment. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe Processes.process=*create* Processes.process="* /xml *" by Processes.action Processes.dest @@ -27,17 +28,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_created_via_xml_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: It is possible scripts or administrators may trigger this analytic. - Filter as needed based on parent process, application. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: It is possible scripts or administrators may trigger this + analytic. Filter as needed based on parent process, application. references: - https://twitter.com/_CERT_UA/status/1620781684257091584 - https://cert.gov.ua/article/3761104 @@ -56,8 +58,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A scheduled task process, $process_name$, with 'create' or 'delete' commands - present in the command line. + message: A scheduled task process, $process_name$, with 'create' or 'delete' + commands present in the command line. risk_objects: - field: dest type: system @@ -73,6 +75,7 @@ tags: - CISA AA23-347A - Scheduled Tasks - MoonPeak + - Lokibot asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -84,6 +87,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index f5d14f68f1..a1db9e6dd6 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 version: 16 -date: '2025-09-16' +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: TTP @@ -124,6 +124,7 @@ tags: - NailaoLocker Ransomware - PromptLock - GhostRedirector IIS Module and Rungan Backdoor + - Lokibot asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index faf3935408..5d321d9721 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 7 -date: '2025-08-22' +version: 8 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -57,6 +57,7 @@ tags: - Snake Keylogger - Meduza Stealer - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1552 diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 2db46c7d1f..dfac5349e6 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,18 +1,19 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 14 -date: '2025-07-29' +version: 15 +date: '2025-09-30' author: Teoderick Contreras, Splunk type: TTP status: production -description: This detection identifies unsigned DLLs loaded through DLL side-loading - with same file path with the process loaded the DLL, a technique observed in DarkGate - malware. This detection monitors DLL loading, verifies signatures, and flags unsigned - DLLs. Suspicious file paths and known executable associations are checked. Detecting - such suspicious DLLs is crucial in preventing privilege escalation attacks and other - potential security breaches. Regular security assessments, thorough monitoring, - and implementing security best practices are essential in safeguarding systems from - such threats. +description: This detection identifies unsigned DLLs loaded through DLL + side-loading with same file path with the process loaded the DLL, a technique + observed in DarkGate malware. This detection monitors DLL loading, verifies + signatures, and flags unsigned DLLs. Suspicious file paths and known + executable associations are checked. Detecting such suspicious DLLs is crucial + in preventing privilege escalation attacks and other potential security + breaches. Regular security assessments, thorough monitoring, and implementing + security best practices are essential in safeguarding systems from such + threats. data_source: - Sysmon EventID 7 search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image IN @@ -25,9 +26,10 @@ search: '`sysmon` EventCode=7 Signed=false SignatureStatus != Valid NOT (Image I process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_in_same_process_path_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name and imageloaded executions from your endpoints. If you - are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name and imageloaded executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of + the Sysmon TA. known_false_positives: unknown references: - https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html @@ -64,6 +66,7 @@ tags: - XWorm - SnappyBee - NailaoLocker Ransomware + - Lokibot asset_type: Endpoint mitre_attack_id: - T1574.001 @@ -75,6 +78,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_process_path.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml index 058e587c93..d02b2384db 100644 --- a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml +++ b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml @@ -1,31 +1,32 @@ name: Windows Unusual Intelliform Storage Registry Access id: 99d69078-7dae-4ffe-9f3d-063242772f5a -version: 1 -date: '2025-07-16' +version: 2 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies processes accessing Intelliform Storage Registry keys - used by Internet Explorer. It leverages Windows Security Event logs, specifically - monitoring EventCode 4663, which tracks object access events. This activity is significant - because it can indicate unauthorized access or manipulation of sensitive registry - keys used for storing form data in Internet Explorer. If confirmed malicious, this - could lead to data exfiltration, credential theft, or further compromise of the system. +description: The following analytic identifies processes accessing Intelliform + Storage Registry keys used by Internet Explorer. It leverages Windows Security + Event logs, specifically monitoring EventCode 4663, which tracks object access + events. This activity is significant because it can indicate unauthorized + access or manipulation of sensitive registry keys used for storing form data + in Internet Explorer. If confirmed malicious, this could lead to data + exfiltration, credential theft, or further compromise of the system. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\Internet Explorer\\iexplore.exe", "C:\\Windows\\System32\\dllhost.exe", "C:\\Windows\\SysWow64\\dllhost.exe")) - ObjectName IN ("*Software\\microsoft\\Internet Explorer\\Intelliforms\\storage2*") +search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN("C:\\Program Files\\Internet + Explorer\\iexplore.exe", "C:\\Windows\\System32\\dllhost.exe", "C:\\Windows\\SysWow64\\dllhost.exe")) + ObjectName IN ("*Software\\microsoft\\Internet Explorer\\Intelliforms\\storage2*") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType - ProcessName AccessMask process_id EventCode Computer Caller_User_Name - | rename Computer as dest Caller_User_Name as user ProcessName as process_name - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_unusual_intelliform_storage_registry_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security - Event logs and track event code 4663. For 4663, enable "Audit Object Access" in - Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: a third party application can access the FileZilla XML config files. - Filter is needed. + ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer + as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_unusual_intelliform_storage_registry_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows + Security Event logs and track event code 4663. For 4663, enable "Audit Object + Access" in Group Policy. Then check the two boxes listed for both "Success" + and "Failure." +known_false_positives: a third party application can access the FileZilla XML + config files. Filter is needed. references: - https://stackoverflow.com/questions/1276700/where-does-internet-explorer-stores-its-form-data-history-that-is-uses-for-auto drilldown_searches: @@ -43,8 +44,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: a non Internet Explorer process $process_name$ with $process_id$ accessed - Intelliform Storage Registry keys on host $dest$ + message: a non Internet Explorer process $process_name$ with $process_id$ + accessed Intelliform Storage Registry keys on host $dest$ risk_objects: - field: dest type: system @@ -55,6 +56,7 @@ rba: tags: analytic_story: - Quasar RAT + - Lokibot asset_type: Endpoint mitre_attack_id: - T1552.001 @@ -66,6 +68,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/ie_intelliform_storage/storage2_sim.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/ie_intelliform_storage/storage2_sim.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml index 9d8ec4fceb..13afd14d81 100644 --- a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml +++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml @@ -1,7 +1,7 @@ name: Windows Unusual Process Load Mozilla NSS-Mozglue Module id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd -version: 2 -date: '2025-08-22' +version: 3 +date: '2025-09-30' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -67,6 +67,7 @@ tags: analytic_story: - Quasar RAT - 0bj3ctivity Stealer + - Lokibot asset_type: Endpoint mitre_attack_id: - T1218.003 diff --git a/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml b/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml new file mode 100644 index 0000000000..38477f4b3d --- /dev/null +++ b/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml @@ -0,0 +1,65 @@ +name: Windows Visual Basic Commandline Compiler DNSQuery +id: 8976744a-ae7a-46a4-8128-690df85c2af4 +version: 1 +date: '2025-09-30' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise. +data_source: +- Sysmon EventID 22 +search: '`sysmon` EventCode=22 process_name="vbc.exe" + | rename dvc as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id + signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_visual_basic_commandline_compiler_dnsquery_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and eventcode = 22 dnsquery executions from your endpoints. + If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. + Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: unknown +references: +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: vbc.exe process [$process_name$] made a DNS query for $query$ from host $dest$. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Lokibot + asset_type: Endpoint + mitre_attack_id: + - T1071.004 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/vbc_dnsquery/vbc_dns_query.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/stories/lokibot.yml b/stories/lokibot.yml new file mode 100644 index 0000000000..90bdbf0117 --- /dev/null +++ b/stories/lokibot.yml @@ -0,0 +1,18 @@ +name: Lokibot +id: d8db6b83-85b9-40f1-a6bc-28f6c6e3d487 +version: 1 +date: '2025-09-30' +author: Teoderick Contreras, Splunk +status: production +description: Lokibot is a prevalent information-stealing Trojan that primarily targets Windows and Android devices to pilfer sensitive data, including usernames, passwords, cryptocurrency wallets, and banking information. Detection often hinges on identifying its characteristic behaviors and network communications. It is commonly distributed via phishing emails containing malicious attachments (e.g., Office documents, RAR files) or through compromised websites. Once infected, Lokibot employs keylogging to capture credentials and exfiltrates stolen data to its command-and-control (C2) servers, often using HTTP with a distinct User-Agent string like "Mozilla/4.08 (Charon; Inferno)". Suspicious network traffic, unexpected system activity, or the presence of its specific C2 communication patterns are strong indicators of compromise. Antivirus and endpoint detection solutions are crucial for identifying and mitigating Lokibot infections. +narrative: Lokibot's detection narrative often begins with the initial compromise, typically through a user opening a malicious attachment from a phishing email or visiting a compromised website. Once executed, the malware establishes persistence and begins its data-gathering operations, often employing keylogging to capture credentials and other sensitive information. Its presence might first be flagged by endpoint detection and response (EDR) solutions observing unusual process behavior, such as vbc.exe or other legitimate processes making unexpected network connections. Network monitoring tools can then identify suspicious outbound traffic, particularly HTTP requests to known Lokibot command-and-control (C2) servers, often characterized by specific User-Agent strings or patterns. Furthermore, the exfiltration of stolen data to these C2 infrastructures provides a critical detection point, allowing security teams to identify and respond to the compromise before significant data loss occurs. Antivirus signatures and behavioral analysis also play a role in identifying the Lokibot executable itself or its attempts to modify system configurations. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file