crypto_campaign

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 6
-date: '2024-12-10'
+version: '6'
+date: '2024-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -65,14 +65,15 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - WhisperGate
-  - Windows Defense Evasion Tactics
+  - CISA AA22-320A
+  - AgentTesla
   - Remcos
   - Data Destruction
-  - CISA AA22-320A
-  - ValleyRAT
   - Compromised Windows Host
-  - AgentTesla
+  - ValleyRAT
+  - Windows Defense Evasion Tactics
+  - WhisperGate
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001

detections/endpoint/any_powershell_downloadfile.yml

@@ -71,15 +71,16 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - DarkCrystal RAT
-  - Ingress Tool Transfer
   - Hermetic Wiper
-  - Malicious PowerShell
-  - Data Destruction
   - Log4Shell CVE-2021-44228
   - Phemedrone Stealer
-  - Braodo Stealer
+  - Data Destruction
   - PXA Stealer
+  - Ingress Tool Transfer
+  - Malicious PowerShell
+  - DarkCrystal RAT
+  - Crypto Stealer
+  - Braodo Stealer
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/chcp_command_execution.yml

@@ -65,9 +65,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - IcedID
   - Azorult
   - Forest Blizzard
+  - Crypto Stealer
+  - IcedID
   asset_type: Endpoint
   mitre_attack_id:
   - T1059

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -38,26 +38,27 @@ references:
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
 tags:
   analytic_story:
-  - AsyncRAT
-  - Winter Vivern
-  - WhisperGate
-  - Living Off The Land
+  - Data Destruction
   - DarkGate Malware
+  - Chaos Ransomware
+  - Hermetic Wiper
+  - Warzone RAT
+  - Winter Vivern
   - ProxyNotShell
-  - Log4Shell CVE-2021-44228
+  - IcedID
+  - Living Off The Land
   - NjRAT
-  - RedLine Stealer
+  - Log4Shell CVE-2021-44228
+  - CISA AA23-347A
+  - AsyncRAT
   - Rhysida Ransomware
-  - IcedID
-  - Chaos Ransomware
-  - PlugX
+  - DarkCrystal RAT
+  - Crypto Stealer
   - Azorult
   - Qakbot
-  - Hermetic Wiper
-  - Warzone RAT
-  - DarkCrystal RAT
-  - CISA AA23-347A
-  - Data Destruction
+  - RedLine Stealer
+  - PlugX
+  - WhisperGate
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/detect_password_spray_attack_behavior_on_user.yml

@@ -65,6 +65,7 @@ rba:
 tags:
   analytic_story:
   - Compromised User Account
+  - Crypto Stealer
   asset_type: Account
   mitre_attack_id:
   - T1110.003

detections/endpoint/detect_rare_executables.yml

@@ -60,6 +60,7 @@ tags:
   analytic_story:
   - Unusual Processes
   - Rhysida Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1204

detections/endpoint/download_files_using_telegram.yml

@@ -50,9 +50,10 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - XMRig
   - Phemedrone Stealer
+  - Crypto Stealer
   - Snake Keylogger
+  - XMRig
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

detections/endpoint/excessive_service_stop_attempt.yml

@@ -63,9 +63,10 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - XMRig
   - Ransomware
   - BlackByte Ransomware
+  - Crypto Stealer
+  - XMRig
   asset_type: Endpoint
   mitre_attack_id:
   - T1489

detections/endpoint/excessive_usage_of_cacls_app.yml

@@ -62,10 +62,11 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - XMRig
   - Azorult
   - Windows Post-Exploitation
   - Prestige Ransomware
+  - XMRig
+  - Crypto Stealer
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/excessive_usage_of_sc_service_utility.yml

@@ -54,8 +54,9 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Ransomware
   - Azorult
+  - Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1569

detections/endpoint/excessive_usage_of_taskkill.yml

@@ -62,12 +62,13 @@ rba:
     type: parent_process_name
 tags:
   analytic_story:
-  - XMRig
   - Azorult
-  - CISA AA22-264A
   - AgentTesla
   - CISA AA22-277A
   - NjRAT
+  - CISA AA22-264A
+  - XMRig
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -61,41 +61,42 @@ rba:
     type: file_name
 tags:
   analytic_story:
+  - Volt Typhoon
+  - LockBit Ransomware
+  - Data Destruction
+  - Snake Keylogger
+  - XMRig
+  - DarkGate Malware
+  - Chaos Ransomware
   - Double Zero Destructor
+  - Hermetic Wiper
+  - Warzone RAT
+  - AcidPour
   - Graceful Wipe Out Attack
-  - AsyncRAT
-  - WhisperGate
-  - DarkGate Malware
-  - AgentTesla
-  - Brute Ratel C4
+  - BlackByte Ransomware
+  - IcedID
   - NjRAT
-  - RedLine Stealer
+  - Handala Wiper
+  - Meduza Stealer
+  - CISA AA23-347A
+  - AsyncRAT
+  - Amadey
+  - Industroyer2
+  - ValleyRAT
   - Rhysida Ransomware
-  - Swift Slicer
-  - IcedID
   - DarkCrystal RAT
-  - Chaos Ransomware
-  - PlugX
-  - Industroyer2
+  - Crypto Stealer
   - Azorult
-  - Remcos
-  - XMRig
+  - Swift Slicer
+  - AgentTesla
   - Qakbot
-  - Volt Typhoon
-  - Hermetic Wiper
-  - Warzone RAT
+  - Remcos
   - Trickbot
-  - Amadey
-  - BlackByte Ransomware
-  - LockBit Ransomware
-  - CISA AA23-347A
-  - Data Destruction
-  - Snake Keylogger
-  - AcidPour
-  - Handala Wiper
+  - Brute Ratel C4
+  - RedLine Stealer
+  - PlugX
   - MoonPeak
-  - ValleyRAT
-  - Meduza Stealer
+  - WhisperGate
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml

@@ -60,10 +60,11 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Windows Persistence Techniques
   - Azorult
+  - Windows Persistence Techniques
   - Compromised Windows Host
   - Windows Defense Evasion Tactics
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1222

detections/endpoint/high_process_termination_frequency.yml

@@ -51,11 +51,12 @@ rba:
     type: process
 tags:
   analytic_story:
-  - Clop Ransomware
   - LockBit Ransomware
-  - BlackByte Ransomware
-  - Rhysida Ransomware
+  - Clop Ransomware
   - Snake Keylogger
+  - Rhysida Ransomware
+  - BlackByte Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1486

detections/endpoint/icacls_deny_command.yml

@@ -65,8 +65,9 @@ tags:
   analytic_story:
   - Azorult
   - Sandworm Tools
-  - XMRig
   - Compromised Windows Host
+  - XMRig
+  - Crypto Stealer
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/icacls_grant_command.yml

@@ -1,10 +1,10 @@
 name: ICACLS Grant Command
 id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 5
-date: '2024-12-16'
+version: '5'
+date: '2024-12-17'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the use of the ICACLS command to grant
   additional access permissions to files or directories. It leverages data from Endpoint
   Detection and Response (EDR) agents, focusing on specific process names and command-line
@@ -62,8 +62,9 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - XMRig
   - Ransomware
+  - Crypto Stealer
+  - XMRig
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/malicious_powershell_process___encoded_command.yml

@@ -43,17 +43,18 @@ references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 tags:
   analytic_story:
-  - Hermetic Wiper
-  - Malicious PowerShell
-  - NOBELIUM Group
-  - WhisperGate
-  - DarkCrystal RAT
-  - Qakbot
   - CISA AA22-320A
+  - Hermetic Wiper
   - Sandworm Tools
-  - Data Destruction
+  - Qakbot
   - Volt Typhoon
+  - NOBELIUM Group
+  - Data Destruction
   - Lumma Stealer
+  - Malicious PowerShell
+  - DarkCrystal RAT
+  - WhisperGate
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1027

detections/endpoint/modify_acl_permission_to_files_or_folder.yml

@@ -6,12 +6,13 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 description: The following analytic detects the modification of ACL permissions to
-  files or folders, making them accessible to everyone. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on processes like "cacls.exe," "icacls.exe,"
-  and "xcacls.exe" with specific command-line arguments. This activity is significant
-  as it may indicate an adversary attempting to evade ACLs or access protected files.
-  If confirmed malicious, this could allow unauthorized access to sensitive data,
-  potentially leading to data breaches or further system compromise.
+  files or folders, making them accessible to everyone or to system account. It leverages
+  data from Endpoint Detection and Response (EDR) agents, focusing on processes like
+  "cacls.exe," "icacls.exe," and "xcacls.exe" with specific command-line arguments.
+  This activity is significant as it may indicate an adversary attempting to evade
+  ACLs or access protected files. If confirmed malicious, this could allow unauthorized
+  access to sensitive data, potentially leading to data breaches or further system
+  compromise.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -59,6 +60,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - Crypto Stealer
   - XMRig
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
   asset_type: Endpoint

detections/endpoint/permission_modification_using_takeown_app.yml

@@ -62,8 +62,9 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Ransomware
   - Sandworm Tools
+  - Ransomware
+  - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1222