From 5c28d2559ecd3648df6355fedb735078ccf37ac6 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 31 Oct 2025 11:44:46 +0100 Subject: [PATCH 1/4] castlerat --- ...rk_connection_to_ip_lookup_service_api.yml | 71 ++++++++++--------- ..._or_script_creation_in_suspicious_path.yml | 5 +- ...ule_task_with_rundll32_command_trigger.yml | 32 +++++---- .../windows_anonymous_pipe_activity.yml | 49 ++++++------- ...indows_disable_or_stop_browser_process.yml | 50 +++++++------ ...scheduled_task_with_highest_privileges.yml | 54 +++++++------- ...ws_scheduled_task_with_suspicious_name.yml | 5 +- .../windows_schtasks_create_run_as_system.yml | 55 +++++++------- .../windows_suspicious_process_file_path.yml | 5 +- ...ws_uac_bypass_suspicious_child_process.yml | 38 +++++----- ..._scheduled_task_created_to_spawn_shell.yml | 5 +- ...eduled_task_created_within_public_path.yml | 5 +- ...ork_info_through_ip_check_web_services.yml | 5 +- stories/castlerat.yml | 20 ++++++ 14 files changed, 224 insertions(+), 175 deletions(-) create mode 100644 stories/castlerat.yml diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 70d37105e0..d73175d5a9 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f -version: 3 -date: '2025-09-09' +version: 4 +date: '2025-10-31' author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe status: production type: Anomaly @@ -14,7 +14,7 @@ description: | The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser processes to reduce noise. data_source: - - Cisco Network Visibility Module Flow Data +- Cisco Network Visibility Module Flow Data search: | `cisco_network_visibility_module_flowdata` dest_hostname IN ( @@ -64,45 +64,48 @@ known_false_positives: | Internal scripts or agents performing network checks may query IP geolocation services. Tune by excluding known tools or adding internal allowlists for destination domains or process names and commandlines. references: - - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml - - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a +- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a drilldown_searches: - - name: View the detection results for - "$src$" - search: '%original_detection_search% | search src = "$src$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$src$" - search: - '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: The host $src$ made a network request to IP lookup service $dest_hostname$ using suspicious process $process_path$ + message: The host $src$ made a network request to IP lookup service + $dest_hostname$ using suspicious process $process_path$ risk_objects: - - field: src - type: system - score: 40 + - field: src + type: system + score: 40 threat_objects: - - field: process_name - type: process_name + - field: process_name + type: process_name tags: analytic_story: - - Cisco Network Visibility Module Analytics + - Cisco Network Visibility Module Analytics + - Castle RAT asset_type: Endpoint mitre_attack_id: - - T1590.005 - - T1016 + - T1590.005 + - T1016 product: - - Splunk Enterprise - - Splunk Enterprise Security + - Splunk Enterprise + - Splunk Enterprise Security security_domain: endpoint tests: - - name: True Positive Test - Cisco NVM - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log - source: not_applicable - sourcetype: cisco:nvm:flowdata +- name: True Positive Test - Cisco NVM + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log + source: not_applicable + sourcetype: cisco:nvm:flowdata diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 238c571311..9be985bdd5 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 19 -date: '2025-09-30' +version: 20 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -117,6 +117,7 @@ tags: - PromptLock - GhostRedirector IIS Module and Rungan Backdoor - Lokibot + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 0fa6a5939f..9a81cf8fca 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -1,27 +1,28 @@ name: Schedule Task with Rundll32 Command Trigger id: 75b00fd8-a0ff-11eb-8b31-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of scheduled tasks in Windows - that use the rundll32 command. It leverages Windows Security EventCode 4698, which - logs the creation of scheduled tasks, and filters for tasks executed via rundll32. - This activity is significant as it is a common technique used by malware, such as - TrickBot, to persist in an environment or deliver additional payloads. If confirmed - malicious, this could lead to data theft, ransomware deployment, or other damaging - outcomes. Immediate investigation and mitigation are crucial to prevent further - compromise. +description: The following analytic detects the creation of scheduled tasks in + Windows that use the rundll32 command. It leverages Windows Security EventCode + 4698, which logs the creation of scheduled tasks, and filters for tasks + executed via rundll32. This activity is significant as it is a common + technique used by malware, such as TrickBot, to persist in an environment or + deliver additional payloads. If confirmed malicious, this could lead to data + theft, ransomware deployment, or other damaging outcomes. Immediate + investigation and mitigation are crucial to prevent further compromise. data_source: - Windows Event Log Security 4698 search: '`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*rundll32*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden, Arguments | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schedule_task_with_rundll32_command_trigger_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the task schedule (Exa. Security Log EventCode 4698) endpoints. Tune and - filter known instances of Task schedule used in your environment. +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the task schedule (Exa. Security Log EventCode 4698) + endpoints. Tune and filter known instances of Task schedule used in your + environment. known_false_positives: unknown references: - https://labs.vipre.com/trickbot-and-its-modules/ @@ -41,8 +42,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A scheduled task process commandline rundll32 arguments $Arguments$ on - host $dest$ + message: A scheduled task process commandline rundll32 arguments $Arguments$ + on host $dest$ risk_objects: - field: dest type: system @@ -56,6 +57,7 @@ tags: - Scheduled Tasks - Compromised Windows Host - Trickbot + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053 diff --git a/detections/endpoint/windows_anonymous_pipe_activity.yml b/detections/endpoint/windows_anonymous_pipe_activity.yml index 6dfb8e9768..2ca3d4f5f2 100644 --- a/detections/endpoint/windows_anonymous_pipe_activity.yml +++ b/detections/endpoint/windows_anonymous_pipe_activity.yml @@ -1,35 +1,34 @@ name: Windows Anonymous Pipe Activity id: ee301e1e-cd81-4011-a911-e5f049b9e3d5 -version: 4 -date: '2025-08-07' +version: 5 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: Hunting -description: "The following analytic detects the creation or connection of anonymous\ - \ pipes for inter-process communication (IPC) within a Windows environment. Anonymous\ - \ pipes are commonly used by legitimate system processes, services, and applications\ - \ to transfer data between related processes. However, adversaries frequently abuse\ - \ anonymous pipes to facilitate stealthy process injection, command-and-control\ - \ (C2) communication, credential theft, or privilege escalation. This detection\ - \ monitors for unusual anonymous pipe activity, particularly involving non-system\ - \ processes, unsigned executables, or unexpected parent-child process relationships.\ - \ While legitimate use cases exist\u2014such as Windows services, software installers,\ - \ or security tools\u2014unusual or high-frequency anonymous pipe activity should\ - \ be investigated for potential malware, persistence mechanisms, or lateral movement\ - \ techniques." +description: "The following analytic detects the creation or connection of anonymous + pipes for inter-process communication (IPC) within a Windows environment. Anonymous + pipes are commonly used by legitimate system processes, services, and applications + to transfer data between related processes. However, adversaries frequently abuse + anonymous pipes to facilitate stealthy process injection, command-and-control (C2) + communication, credential theft, or privilege escalation. This detection monitors + for unusual anonymous pipe activity, particularly involving non-system processes, + unsigned executables, or unexpected parent-child process relationships. While legitimate + use cases exist—such as Windows services, software installers, or security tools—unusual + or high-frequency anonymous pipe activity should be investigated for potential malware, + persistence mechanisms, or lateral movement techniques." data_source: - Sysmon EventID 17 - Sysmon EventID 18 search: '`sysmon` EventCode IN (17,18) EventType IN ( "CreatePipe", "ConnectPipe") - PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*")) | stats min(_time) - as firstTime max(_time) as lastTime count by dest EventCode PipeName ProcessGuid - ProcessId Image EventType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_anonymous_pipe_activity_filter`' -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name and pipename from your endpoints. If you are using Sysmon, - you must have at least version 6.0.4 of the Sysmon TA. . -known_false_positives: Automation tool might use anonymous pipe for task orchestration - or process communication. + PipeName="*Anonymous Pipe*" NOT( Image IN ("C:\\Program Files*", "C:\\Windows\\system32\\*","C:\\Windows\\syswow64\\*")) + | stats min(_time) as firstTime max(_time) as lastTime count by dest EventCode + PipeName ProcessGuid ProcessId Image EventType | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_anonymous_pipe_activity_filter`' +how_to_implement: To successfully implement this search, you need to be + ingesting logs with the process name and pipename from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. . +known_false_positives: Automation tool might use anonymous pipe for task + orchestration or process communication. references: - https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html drilldown_searches: @@ -52,6 +51,7 @@ tags: - China-Nexus Threat Activity - SnappyBee - Interlock Rat + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1559 @@ -63,6 +63,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1559/anonymous_pipe/anonymouspipe.log sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index dcad52a974..a32dbdd744 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,20 +1,20 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 6 -date: '2025-10-14' +version: 7 +date: '2025-10-31' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 type: TTP status: production -description: The following analytic detects the use of the taskkill command in a process - command line to terminate several known browser processes, a technique commonly - employed by the Braodo stealer malware to steal credentials. By forcefully closing - browsers like Chrome, Edge, and Firefox, the malware can unlock files that store - sensitive information, such as passwords and login data. This detection focuses - on identifying taskkill commands targeting these browsers, signaling malicious intent. - Early detection allows security teams to investigate and prevent further credential - theft and system compromise. +description: The following analytic detects the use of the taskkill command in a + process command line to terminate several known browser processes, a technique + commonly employed by the Braodo stealer malware to steal credentials. By + forcefully closing browsers like Chrome, Edge, and Firefox, the malware can + unlock files that store sensitive information, such as passwords and login + data. This detection focuses on identifying taskkill commands targeting these + browsers, signaling malicious intent. Early detection allows security teams to + investigate and prevent further credential theft and system compromise. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe") @@ -25,17 +25,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_or_stop_browser_process_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: Admin or user may choose to terminate browser via taskkill.exe. - Filter as needed. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: Admin or user may choose to terminate browser via + taskkill.exe. Filter as needed. references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d @@ -54,7 +55,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A process commandline- [$process$] that tries to kill browser on [$dest$]. + message: A process commandline- [$process$] that tries to kill browser on + [$dest$]. risk_objects: - field: user type: user @@ -68,6 +70,7 @@ tags: - Braodo Stealer - Scattered Lapsus$ Hunters - Hellcat Ransomware + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1562.001 @@ -79,6 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 79c95da0db..00f8632a88 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,18 +1,18 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 10 -date: '2025-07-16' +version: 11 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects the creation of a new scheduled task with - the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection - and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and - 'highest') in schtasks.exe executions. This activity is significant as it is commonly - used in AsyncRAT attacks for persistence and privilege escalation. If confirmed - malicious, this could allow an attacker to maintain persistent access and execute - tasks with elevated privileges, potentially leading to unauthorized system access - and data breaches. +description: The following analytic detects the creation of a new scheduled task + with the highest execution privileges via Schtasks.exe. It leverages Endpoint + Detection and Response (EDR) logs to monitor for specific command-line + parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is + significant as it is commonly used in AsyncRAT attacks for persistence and + privilege escalation. If confirmed malicious, this could allow an attacker to + maintain persistent access and execute tasks with elevated privileges, + potentially leading to unauthorized system access and data breaches. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -27,18 +27,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may arise from legitimate applications that - create tasks to run as SYSTEM. Therefore, it's recommended to adjust filters based - on parent process or modify the query to include world writable paths for restriction. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: False positives may arise from legitimate applications + that create tasks to run as SYSTEM. Therefore, it's recommended to adjust + filters based on parent process or modify the query to include world writable + paths for restriction. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: @@ -56,8 +58,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A $process_name$ process created a scheduled task $process$ with highest - run level privilege on $dest$ + message: A $process_name$ process created a scheduled task $process$ with + highest run level privilege on $dest$ risk_objects: - field: dest type: system @@ -72,6 +74,7 @@ tags: - AsyncRAT - RedLine Stealer - Compromised Windows Host + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -83,6 +86,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml index 6d11687565..6a8fc824ea 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Suspicious Name id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e -version: 4 -date: '2025-09-18' +version: 5 +date: '2025-10-31' author: Steven Dick status: production type: TTP @@ -79,6 +79,7 @@ tags: - Ryuk Ransomware - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 59fe9d2a76..57a66b2d93 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -1,18 +1,19 @@ name: Windows Schtasks Create Run As System id: 41a0e58e-884c-11ec-9976-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-10-31' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the creation of a new scheduled task using - Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint - Detection and Response (EDR) agents, focusing on command-line executions and process - details. This activity is significant as it often indicates an attempt to gain elevated - privileges or maintain persistence within the environment. If confirmed malicious, - an attacker could execute code with SYSTEM-level privileges, potentially leading - to data theft, ransomware deployment, or further system compromise. Immediate investigation - and mitigation are crucial to prevent further damage. +description: The following analytic detects the creation of a new scheduled task + using Schtasks.exe to run as the SYSTEM user. This detection leverages data + from Endpoint Detection and Response (EDR) agents, focusing on command-line + executions and process details. This activity is significant as it often + indicates an attempt to gain elevated privileges or maintain persistence + within the environment. If confirmed malicious, an attacker could execute code + with SYSTEM-level privileges, potentially leading to data theft, ransomware + deployment, or further system compromise. Immediate investigation and + mitigation are crucial to prevent further damage. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -27,18 +28,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives will be limited to legitimate applications - creating a task to run as SYSTEM. Filter as needed based on parent process, or modify - the query to have world writeable paths to restrict it. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: False positives will be limited to legitimate + applications creating a task to run as SYSTEM. Filter as needed based on + parent process, or modify the query to have world writeable paths to restrict + it. references: - https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/ - https://www.ired.team/offensive-security/persistence/t1053-schtask @@ -58,8 +61,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: An $process_name$ was created on endpoint $dest$ attempting to spawn as - SYSTEM. + message: An $process_name$ was created on endpoint $dest$ attempting to spawn + as SYSTEM. risk_objects: - field: dest type: system @@ -73,6 +76,7 @@ tags: - Windows Persistence Techniques - Qakbot - Scheduled Tasks + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053.005 @@ -84,6 +88,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index a1db9e6dd6..5896e7591d 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 16 -date: '2025-09-30' +version: 17 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: TTP @@ -125,6 +125,7 @@ tags: - PromptLock - GhostRedirector IIS Module and Rungan Backdoor - Lokibot + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index b11b650cfe..202cb9b808 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -1,18 +1,19 @@ name: Windows UAC Bypass Suspicious Child Process id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c -version: 8 -date: '2025-05-02' +version: 9 +date: '2025-10-31' author: Steven Dick status: production type: TTP -description: The following analytic detects when an executable known for User Account - Control (UAC) bypass exploitation spawns a child process in a user-controlled location - or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages - Sysmon EventID 1 data, focusing on high or system integrity level processes with - specific parent-child process relationships. This activity is significant as it - may indicate an attacker has successfully used a UAC bypass exploit to escalate - privileges. If confirmed malicious, this could allow the attacker to execute arbitrary - commands with elevated privileges, potentially compromising the entire system. +description: The following analytic detects when an executable known for User + Account Control (UAC) bypass exploitation spawns a child process in a + user-controlled location or a command shell executable (e.g., cmd.exe, + powershell.exe). This detection leverages Sysmon EventID 1 data, focusing on + high or system integrity level processes with specific parent-child process + relationships. This activity is significant as it may indicate an attacker has + successfully used a UAC bypass exploit to escalate privileges. If confirmed + malicious, this could allow the attacker to execute arbitrary commands with + elevated privileges, potentially compromising the entire system. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -29,10 +30,11 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | where parent_process_name != process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_uac_bypass_suspicious_child_process_filter`' -how_to_implement: Target environment must ingest sysmon data, specifically Event ID - 1 with process integrity level data. -known_false_positives: Including Werfault.exe may cause some unintended false positives - related to normal application faulting, but is used in a number of UAC bypass techniques. +how_to_implement: Target environment must ingest sysmon data, specifically Event + ID 1 with process integrity level data. +known_false_positives: Including Werfault.exe may cause some unintended false + positives related to normal application faulting, but is used in a number of + UAC bypass techniques. references: - https://attack.mitre.org/techniques/T1548/002/ - https://atomicredteam.io/defense-evasion/T1548.002/ @@ -53,8 +55,8 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched - a suspicious child process - $process_name$. + message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ + launched a suspicious child process - $process_name$. risk_objects: - field: dest type: system @@ -69,6 +71,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Living Off The Land + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1548.002 @@ -80,6 +83,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 892aaef601..3c38612615 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created to Spawn Shell id: 203ef0ea-9bd8-11eb-8201-acde48001122 -version: 15 -date: '2025-08-22' +version: 16 +date: '2025-10-31' author: Michael Haag, Splunk status: production type: TTP @@ -68,6 +68,7 @@ tags: - Windows Persistence Techniques - Winter Vivern - 0bj3ctivity Stealer + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index d3310302c5..9f352739b3 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 19 -date: 2025-10-01 +version: 20 +date: '2025-10-31' author: Michael Haag, Splunk status: production type: TTP @@ -86,6 +86,7 @@ tags: - Windows Persistence Techniques - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index df25b148a1..e0f63f05ac 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 14 -date: '2025-08-22' +version: 15 +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -69,6 +69,7 @@ tags: - Water Gamayun - Quasar RAT - 0bj3ctivity Stealer + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/stories/castlerat.yml b/stories/castlerat.yml new file mode 100644 index 0000000000..cf1d091c7b --- /dev/null +++ b/stories/castlerat.yml @@ -0,0 +1,20 @@ +name: Castle RAT +id: 132ea5bd-b085-4a12-afb4-cac38a81e865 +version: 1 +date: '2025-11-31' +author: Teoderick Contreras, Splunk +status: production +description: Leverage searches that allow you to detect and investigate unusual activities that may be related to Castle RAT, a remote access trojan observed in targeted intrusion campaigns. Castle RAT provides adversaries with capabilities such as remote command execution, file exfiltration, keystroke logging, and screen capture, often delivered via phishing or malicious installers. Detectable indicators include anomalous process parentage (legitimate browsers or system utilities spawned by unknown executables), uncommon command-line switches, persistent autorun entries, and suspicious network connections to uncommon domains or dynamic DNS. Effective investigations correlate process creation events, command-line arguments, network telemetry, and file hashes with endpoint memory and disk forensics to confirm compromise and scope impact, while prioritizing containment and credential resets. +narrative: Castle RAT, a stealthy remote access trojan that operators employ to maintain long-term access to compromised hosts. In an affected environment, defenders might trace a breadcrumb trail of subtle anomalies: innocuous-looking installers that drop backdoor components, benign processes acting as parents for unexpected browser launches, and erratic outbound connections to ephemeral domains. Investigation narratives often follow credential misuse, lateral movement, and periods of staged data collection before exfiltration, with incident responders piecing together timelines from process creation logs, memory artifacts, and network telemetry. Prompt containment, credential resets, and forensic imaging are typical mitigation steps, while lessons learned feed improved detection rules and endpoint hardening to reduce +references: +- https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From a2486f7583057353ea4fd1db310d12ad5efe1d18 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 31 Oct 2025 11:50:04 +0100 Subject: [PATCH 2/4] castlerat --- stories/castlerat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/castlerat.yml b/stories/castlerat.yml index cf1d091c7b..5510df9155 100644 --- a/stories/castlerat.yml +++ b/stories/castlerat.yml @@ -5,7 +5,7 @@ date: '2025-11-31' author: Teoderick Contreras, Splunk status: production description: Leverage searches that allow you to detect and investigate unusual activities that may be related to Castle RAT, a remote access trojan observed in targeted intrusion campaigns. Castle RAT provides adversaries with capabilities such as remote command execution, file exfiltration, keystroke logging, and screen capture, often delivered via phishing or malicious installers. Detectable indicators include anomalous process parentage (legitimate browsers or system utilities spawned by unknown executables), uncommon command-line switches, persistent autorun entries, and suspicious network connections to uncommon domains or dynamic DNS. Effective investigations correlate process creation events, command-line arguments, network telemetry, and file hashes with endpoint memory and disk forensics to confirm compromise and scope impact, while prioritizing containment and credential resets. -narrative: Castle RAT, a stealthy remote access trojan that operators employ to maintain long-term access to compromised hosts. In an affected environment, defenders might trace a breadcrumb trail of subtle anomalies: innocuous-looking installers that drop backdoor components, benign processes acting as parents for unexpected browser launches, and erratic outbound connections to ephemeral domains. Investigation narratives often follow credential misuse, lateral movement, and periods of staged data collection before exfiltration, with incident responders piecing together timelines from process creation logs, memory artifacts, and network telemetry. Prompt containment, credential resets, and forensic imaging are typical mitigation steps, while lessons learned feed improved detection rules and endpoint hardening to reduce +narrative: Castle RAT, a stealthy remote access trojan that operators employ to maintain long-term access to compromised hosts. In an affected environment, defenders might trace a breadcrumb trail of subtle anomalies like innocuous-looking installers that drop backdoor components, benign processes acting as parents for unexpected browser launches, and erratic outbound connections to ephemeral domains. Investigation narratives often follow credential misuse, lateral movement, and periods of staged data collection before exfiltration, with incident responders piecing together timelines from process creation logs, memory artifacts, and network telemetry. Prompt containment, credential resets, and forensic imaging are typical mitigation steps, while lessons learned feed improved detection rules and endpoint hardening to reduce references: - https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations tags: From 94fd417a87770749548217301a692196cbe68591 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 31 Oct 2025 11:53:03 +0100 Subject: [PATCH 3/4] castlerat --- stories/{castlerat.yml => castle_rat.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename stories/{castlerat.yml => castle_rat.yml} (99%) diff --git a/stories/castlerat.yml b/stories/castle_rat.yml similarity index 99% rename from stories/castlerat.yml rename to stories/castle_rat.yml index 5510df9155..2deb2ce397 100644 --- a/stories/castlerat.yml +++ b/stories/castle_rat.yml @@ -1,7 +1,7 @@ name: Castle RAT id: 132ea5bd-b085-4a12-afb4-cac38a81e865 version: 1 -date: '2025-11-31' +date: '2025-10-31' author: Teoderick Contreras, Splunk status: production description: Leverage searches that allow you to detect and investigate unusual activities that may be related to Castle RAT, a remote access trojan observed in targeted intrusion campaigns. Castle RAT provides adversaries with capabilities such as remote command execution, file exfiltration, keystroke logging, and screen capture, often delivered via phishing or malicious installers. Detectable indicators include anomalous process parentage (legitimate browsers or system utilities spawned by unknown executables), uncommon command-line switches, persistent autorun entries, and suspicious network connections to uncommon domains or dynamic DNS. Effective investigations correlate process creation events, command-line arguments, network telemetry, and file hashes with endpoint memory and disk forensics to confirm compromise and scope impact, while prioritizing containment and credential resets. From b46dd275a81d40c5b62dcc6dadc6c0759623edb2 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 5 Nov 2025 10:18:52 +0100 Subject: [PATCH 4/4] castlerat --- ...er_process_launched_with_unusual_flags.yml | 78 +++++++++++++++++++ ...ws_computerdefaults_spawning_a_process.yml | 74 ++++++++++++++++++ ...plication_in_known_uac_bypass_binaries.yml | 74 ++++++++++++++++++ 3 files changed, 226 insertions(+) create mode 100644 detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml create mode 100644 detections/endpoint/windows_computerdefaults_spawning_a_process.yml create mode 100644 detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml diff --git a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml new file mode 100644 index 0000000000..8a99c060ec --- /dev/null +++ b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml @@ -0,0 +1,78 @@ +name: Windows Browser Process Launched with Unusual Flags +id: 841e2abc-0442-4e7f-b445-b22680632a08 +version: 1 +date: '2025-10-31' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations. +data_source: +- Sysmon EventID 1 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND + NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND + Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND + Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: It is possible false positives will be present based on third + party applications. Filtering may be needed. +references: +- https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations +- https://peter.sh/experiments/chromium-command-line-switches/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest="$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: chromium browser that has unusual flags for muting or audio and prevent de-elevation of the current process in $dest$. + risk_objects: + - field: dest + type: system + score: 15 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Castle RAT + asset_type: Endpoint + mitre_attack_id: + - T1185 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/browser_unusual_flag/castle_chrome_shell32.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml new file mode 100644 index 0000000000..2445ac7fba --- /dev/null +++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml @@ -0,0 +1,74 @@ +name: Windows ComputerDefaults Spawning a Process +id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6 +version: 1 +date: '2025-10-31' +author: Teoderick Contreras, Splunk +status: production +type: TTP +description: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity. +data_source: +- Sysmon EventID 1 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=ComputerDefaults.exe + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_computerdefaults_spawning_a_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: unknown +references: +- https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A ComputerDefaults.exe process $parent_process_name$ spawning child process $process_name$ + on host $dest$ + risk_objects: + - field: dest + type: system + score: 40 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Castle RAT + asset_type: Endpoint + mitre_attack_id: + - T1548.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/computerdefaults_spawn_proc/computerdefaults_process.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml new file mode 100644 index 0000000000..3f7167add5 --- /dev/null +++ b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml @@ -0,0 +1,74 @@ +name: Windows Handle Duplication in Known UAC-Bypass Binaries +id: d7369bf5-1315-4138-b927-2dd8bb8c1da7 +version: 1 +date: '2025-10-31' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes. +data_source: +- Sysmon EventID 10 +search: '`sysmon` EventCode=10 + TargetImage IN("*\\ComputerDefaults.exe", "*\\eventvwr.exe*", "*\\fodhelper.exe","*\\slui.exe","*\\sdclt.exe","*\\mmc.exe", "*\\colorcpl.exe","*\\wsreset.exe","*\\esentutl.exe", "*\PkgMgr.exe") + AND NOT (SourceImage IN ("*C:\\Windows\\system32\\*","*C:\\Windows\\syswow64\\*","*C:\\Program Files\\*", "*C:\\Program Files (x86)\\*","%systemroot%\\*")) + | eval g_access_decimal = tonumber(replace(GrantedAccess,"0x",""),16) + | eval PROCESS_DUP_HANDLE = 64 + | eval dup_handle_set = bit_and (g_access_decimal, PROCESS_DUP_HANDLE) + | where dup_handle_set == PROCESS_DUP_HANDLE + | stats count min(_time) as firstTime max(_time) as lastTime + by SourceImage TargetImage GrantedAccess PROCESS_DUP_HANDLE g_access_decimal dup_handle_set Guid Opcode ProcessID SecurityID + SourceProcessGUID SourceProcessId TargetProcessGUID TargetProcessId + UserID dest granted_access parent_process_exec parent_process_guid parent_process_id + parent_process_name parent_process_path process_exec process_guid process_id process_name + process_path signature signature_id user_id vendor_product CallTrace EventID + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_handle_duplication_in_known_uac_bypass_binaries_filter`' +how_to_implement: To successfully implement this search, you must be ingesting data + that records process activity from your hosts to populate the endpoint data model + in the processes node. If you are using Sysmon, you must have at least version 6.0.4 + of the Sysmon TA. +known_false_positives: It is possible legitimate applications will request access + to list of know abused Windows UAC binaries process, filter as needed. +references: +- https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process $SourceImage$ is duplicating the handle token of $TargetImage$ on $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Castle RAT + asset_type: Endpoint + mitre_attack_id: + - T1134.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.001/uac_process_handle_dup/Computerdefaults_access.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog