Branch was auto-updated.

Author: srv-rr-gh-researchbt

detections/endpoint/powershell_script_block_with_url_chain.yml

@@ -0,0 +1,74 @@
+name: PowerShell Script Block With URL Chain
+id: 4a3f2a7d-6402-4e64-a76a-869588ec3b57
+version: 1
+date: '2023-06-13'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array.
+ This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. 
+ During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.
+data_source:
+- Powershell 4104
+search: '`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*")
+| regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}"
+| rex max_match=20 field=ScriptBlockText "(?<url>https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))"
+| eval Path = case(isnotnull(Path),Path,true(),"unknown")
+| stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode
+| rename Computer as dest, EventCode as signature_id
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `powershell_script_block_with_url_chain_filter`'
+how_to_implement: The following analytic requires PowerShell operational logs
+  to be imported. Modify the powershell macro as needed to match the sourcetype or
+  add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Unknown, possible custom scripting.
+references:
+- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
+- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
+- https://attack.mitre.org/techniques/T1059/001/
+tags:
+  analytic_story:
+  - Malicious PowerShell
+  asset_type: Endpoint
+  confidence: 80
+  impact: 100
+  message: A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware. 
+  mitre_attack_id:
+  - T1059.001 
+  - T1105 
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: file_name
+    type: File Name
+    role:
+    - Attacker
+  - name: url
+    type: URL String
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - ActivityID
+  - Computer
+  - ScriptBlockText
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/powershell_webrequest_using_memory_stream.yml

@@ -0,0 +1,69 @@
+name: PowerShell WebRequest Using Memory Stream
+id: 103affa6-924a-4b53-aff4-1d5075342aab
+version: 1
+date: '2023-06-13'
+author: Steven Dick
+status: production
+type: TTP
+description: This analytic identifies a common fileless malware staging technique of using .NET classes
+ to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging 
+ (EventCode=4104) to identify suspicious PowerShell execution.
+data_source:
+- Powershell 4104
+search: '`powershell` EventCode=4104  ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") AND ScriptBlockText="*IO.MemoryStream*" 
+| eval Path = case(isnotnull(Path),Path,true(),"unknown")
+| stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode 
+| rename Computer as dest, EventCode as signature_id
+| `security_content_ctime(firstTime)`
+| `security_content_ctime(lastTime)`
+| `powershell_webrequest_using_memory_stream_filter`'
+how_to_implement: The following analytic requires PowerShell operational logs
+  to be imported. Modify the powershell macro as needed to match the sourcetype or
+  add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Unknown, possible custom scripting.
+references:
+- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
+- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
+- https://attack.mitre.org/techniques/T1059/001/
+tags:
+  analytic_story:
+  - Malicious PowerShell
+  asset_type: Endpoint
+  confidence: 80
+  impact: 100
+  message: Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.
+  mitre_attack_id:
+  - T1059.001 
+  - T1105 
+  - T1027.011
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: file_name
+    type: File Name
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - ActivityID 
+  - Computer
+  - ScriptBlockText
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/suspicious_process_executed_from_container_file_filter.yml

@@ -0,0 +1,63 @@
+name: Suspicious Process Executed From Container File
+id: d8120352-3b62-411c-8cb6-7b47584dd5e8
+version: 1
+date: '2023-06-13'
+author: Steven Dick
+status: production
+type: TTP
+description: This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common.
+data_source:
+- Sysmon 1
+- Windows Security 4688
+search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?<file_name>[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?<process_name>.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: Various business process or userland applications and behavior.
+references:
+- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
+- https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/
+- https://attack.mitre.org/techniques/T1204/002/
+tags:
+  analytic_story:
+  - Unusual Processes
+  asset_type: Endpoint
+  confidence: 20 
+  impact: 80
+  message: A suspicious process $process_name$ was launched from $file_name$ on $dest$.
+  mitre_attack_id:
+  - T1204.002  
+  - T1036.008 
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: file_name
+    type: File Name
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest 
+  - Processes.parent_process 
+  - Processes.process 
+  - Processes.user
+  risk_score: 16
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_registry_payload_injection.yml

@@ -0,0 +1,74 @@
+name: Windows Registry Payload Injection
+id: c6b2d80f-179a-41a1-b95e-ce5601d7427a
+version: 1
+date: '2023-06-15'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry. 
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name 
+	| `drop_dm_object_name(Registry)`
+	| eval reg_data_len = len(registry_value_data)
+    | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`'
+how_to_implement: The following analytic requires Sysmon or Windows logging with command line and registry modification logging enabled. Use filter to remove known environment known false positives prior to full production usage.
+known_false_positives: Unknown, possible custom scripting.
+references:
+- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
+- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
+- https://attack.mitre.org/techniques/T1027/011/
+tags:
+  analytic_story:
+  - Unusual Processes
+  asset_type: Endpoint
+  confidence: 60
+  impact: 100
+  message: The process $process_name$ added a suspicious length of registry data on $dest$.
+  mitre_attack_id:
+  - T1027
+  - T1027.011
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: process
+    type: Process
+    role:
+    - Attacker
+  - name: process_name
+    type: Process
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - user 
+  - dest   
+  - process_id 
+  - process_name 
+  - process 
+  - process_path 
+  - parent_process_name 
+  - parent_process 
+  - process_guid
+  - registry_path 
+  - registry_value_name 
+  - registry_value_data 
+  - registry_key_name
+  risk_score: 60
+  security_domain: endpoint  
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_scheduled_task_service_spawned_shell.yml

@@ -0,0 +1,70 @@
+name: Windows Scheduled Task Service Spawned Shell
+id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8
+version: 1
+date: '2023-06-13'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when the Task Scheduler service "svchost.exe -k netsvcs -p -s Schedule" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates.
+data_source:
+- Sysmon 1
+- Windows Security 4688
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where 
+Processes.parent_process="*\\system32\\svchost.exe*" AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND Processes.parent_process="*-p*" AND Processes.parent_process="*-s*" AND Processes.parent_process="*Schedule*" Processes.process_name 
+IN("powershell.exe", "wscript.exe", "cscript.exe", "cmd.exe", "sh.exe", "ksh.exe", "zsh.exe", "bash.exe", "scrcons.exe","pwsh.exe") 
+by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name 
+| `drop_dm_object_name(Processes)` 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)` 
+| `windows_scheduled_task_service_spawned_shell_filter`'
+how_to_implement: The following analytic requires Sysmon or Windows logging with command line logging enabled. Use filter to remove known environment known false positives prior to full production usage.
+known_false_positives: Unknown, possible custom scripting.
+references:
+- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
+- https://nasbench.medium.com/a-deep-dive-into-windows-scheduled-tasks-and-the-processes-running-them-218d1eed4cce
+- https://attack.mitre.org/techniques/T1053/005/
+tags:
+  analytic_story:
+  - Windows Persistence Techniques
+  asset_type: Endpoint
+  confidence: 25
+  impact: 80
+  message: A windows scheduled task spawned the shell application $process_name$ on $dest$.
+  mitre_attack_id:
+  - T1053.005 
+  - T1059
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: process
+    type: Process Name
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest 
+  - Processes.user 
+  - Processes.parent_process 
+  - Processes.process_name 
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id 
+  - Processes.parent_process_name
+  risk_score: 20
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog