Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto_campaign #3240

Merged
merged 38 commits into from
Jan 24, 2025
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
ab8b13c
crypto_campaign
tccontre Dec 13, 2024
5dd5554
Branch was auto-updated.
patel-bhavin Dec 16, 2024
36310e2
Branch was auto-updated.
patel-bhavin Dec 16, 2024
9c750f2
Branch was auto-updated.
patel-bhavin Dec 16, 2024
2a14589
Branch was auto-updated.
patel-bhavin Dec 16, 2024
3b701f7
Branch was auto-updated.
patel-bhavin Dec 16, 2024
8708b5f
Branch was auto-updated.
patel-bhavin Dec 16, 2024
b7f7c8c
Branch was auto-updated.
patel-bhavin Dec 16, 2024
6fc84d9
crypto_campaign
tccontre Dec 17, 2024
c7d68b5
crypto_campaign
tccontre Dec 17, 2024
95be36e
crypto_campaign
tccontre Dec 17, 2024
3db1a7e
crypto_campaign
tccontre Dec 17, 2024
6581cc6
crypto_campaign
tccontre Dec 17, 2024
4a5edfb
crypto_campaign
tccontre Dec 17, 2024
96ce187
crypto_campaign
tccontre Dec 18, 2024
aa34aa3
crypto_campaign
tccontre Dec 18, 2024
cac473c
Branch was auto-updated.
patel-bhavin Dec 18, 2024
6987fdc
Branch was auto-updated.
patel-bhavin Jan 3, 2025
00b1344
Branch was auto-updated.
patel-bhavin Jan 3, 2025
3579b63
Branch was auto-updated.
patel-bhavin Jan 6, 2025
4f8f4ef
Branch was auto-updated.
patel-bhavin Jan 6, 2025
9153947
crypto_campaign
tccontre Jan 8, 2025
185a5b8
crypto_campaign
tccontre Jan 8, 2025
7a46c66
crypto_campaign
tccontre Jan 8, 2025
4f75199
crypto_campaign
tccontre Jan 8, 2025
1e78187
crypto_campaign
tccontre Jan 8, 2025
0349709
Branch was auto-updated.
patel-bhavin Jan 8, 2025
ef6e7e7
Branch was auto-updated.
patel-bhavin Jan 9, 2025
e1a5602
Branch was auto-updated.
patel-bhavin Jan 9, 2025
8087f9f
Branch was auto-updated.
patel-bhavin Jan 10, 2025
3d32cfb
Branch was auto-updated.
patel-bhavin Jan 14, 2025
3e72f4e
Branch was auto-updated.
patel-bhavin Jan 14, 2025
cb90b85
Merge branch 'develop' into crypto_campaign
patel-bhavin Jan 17, 2025
a059e2d
updating with rba
patel-bhavin Jan 22, 2025
87f86e7
crypto_campaign
tccontre Jan 23, 2025
322008a
crypto_campaign
tccontre Jan 23, 2025
11dd085
Merge branch 'develop' into crypto_campaign
patel-bhavin Jan 23, 2025
6692321
Merge branch 'develop' into crypto_campaign
patel-bhavin Jan 24, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions detections/endpoint/add_or_set_windows_defender_exclusion.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Add or Set Windows Defender Exclusion
id: 773b66fe-4dd9-11ec-8289-acde48001122
version: '5'
date: '2024-11-28'
version: '6'
date: '2024-12-17'
author: Teoderick Contreras, Splunk
status: production
type: TTP
Expand Down Expand Up @@ -55,14 +55,15 @@ drilldown_searches:
latest_offset: $info_max_time$
tags:
analytic_story:
- WhisperGate
- Windows Defense Evasion Tactics
- CISA AA22-320A
- AgentTesla
- Remcos
- Data Destruction
- CISA AA22-320A
- ValleyRAT
- Compromised Windows Host
- AgentTesla
- ValleyRAT
- Windows Defense Evasion Tactics
- WhisperGate
- Crypto Stealer
asset_type: Endpoint
confidence: 80
impact: 80
Expand Down
56 changes: 43 additions & 13 deletions detections/endpoint/any_powershell_downloadfile.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,40 @@
name: Any Powershell DownloadFile
id: 1a93b7ea-7af7-11eb-adb5-acde48001122
version: 7
date: '2024-09-30'
version: '8'
date: '2024-12-17'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the use of PowerShell's `DownloadFile` method to download files. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant as it is commonly used in malicious frameworks to download and execute additional payloads. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Analysts should investigate the source and destination of the download and review AMSI or PowerShell transaction logs for additional context.
description: The following analytic detects the use of PowerShell's `DownloadFile`
method to download files. It leverages data from Endpoint Detection and Response
(EDR) agents, focusing on process execution logs. This activity is significant as
it is commonly used in malicious frameworks to download and execute additional payloads.
If confirmed malicious, this could lead to unauthorized code execution, data exfiltration,
or further compromise of the system. Analysts should investigate the source and
destination of the download and review AMSI or PowerShell transaction logs for additional
context.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile*
by Processes.dest Processes.user Processes.parent_process Processes.process_name
Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id
Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|
`security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: False positives may be present and filtering will need to occur
by parent process or command line argument. It may be required to modify this query
to an EDR product for more granular coverage.
references:
- https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
Expand All @@ -23,26 +45,34 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
"$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time)
as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- DarkCrystal RAT
- Ingress Tool Transfer
- Hermetic Wiper
- Malicious PowerShell
- Data Destruction
- Log4Shell CVE-2021-44228
- Phemedrone Stealer
- Braodo Stealer
- Data Destruction
- PXA Stealer
- Ingress Tool Transfer
- Malicious PowerShell
- DarkCrystal RAT
- Crypto Stealer
- Braodo Stealer
asset_type: Endpoint
confidence: 70
cve:
- CVE-2021-44228
impact: 80
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.
message: An instance of $parent_process_name$ spawning $process_name$ was identified
on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile
within PowerShell.
mitre_attack_id:
- T1059
- T1059.001
Expand Down
55 changes: 43 additions & 12 deletions detections/endpoint/attempt_to_stop_security_service.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,42 @@
name: Attempt To Stop Security Service
id: c8e349c6-b97c-486e-8949-bd7bcd1f3910
version: 7
date: '2024-09-30'
version: '8'
date: '2024-12-17'
author: Rico Valdez, Splunk
status: production
type: TTP
description: The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.
description: The following analytic detects attempts to stop security-related services
on an endpoint, which may indicate malicious activity. It leverages data from Endpoint
Detection and Response (EDR) agents, specifically searching for processes involving
the "sc.exe" command with the "stop" parameter. This activity is significant because
disabling security services can undermine the organization's security posture, potentially
leading to unauthorized access, data exfiltration, or further attacks like malware
installation or privilege escalation. If confirmed malicious, this behavior could
compromise the endpoint and the entire network, necessitating immediate investigation
and response.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: None identified. Attempts to disable security-related services should be identified and understood.
search: '| tstats `security_content_summariesonly` values(Processes.process) as process
min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop
*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
Processes.process_name Processes.original_file_name Processes.process Processes.process_id
Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` |lookup security_services_lookup service as
process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: None identified. Attempts to disable security-related services
should be identified and understood.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
Expand All @@ -22,21 +46,28 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
"$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time)
as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- WhisperGate
- Graceful Wipe Out Attack
- Disabling Security Tools
- Data Destruction
- Azorult
- Data Destruction
- Disabling Security Tools
- Trickbot
- Graceful Wipe Out Attack
- WhisperGate
- Crypto Stealer
asset_type: Endpoint
confidence: 50
impact: 40
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.
message: An instance of $parent_process_name$ spawning $process_name$ was identified
attempting to disable security services on endpoint $dest$ by user $user$.
mitre_attack_id:
- T1562.001
- T1562
Expand Down
Loading
Loading