Merge pull request #1383 from splunk/darkside

Darkside Ransomware

detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -25,6 +25,7 @@ references: []
 tags:
   analytic_story:
   - Credential Dumping
+  - DarkSide Ransomware
   asset_type: Endpoint
   automated_detection_testing: passed
   cis20:

detections/endpoint/bitsadmin_download_file.yml

@@ -38,6 +38,7 @@ tags:
   analytic_story:
   - Ingress Tool Transfer
   - BITS Jobs
+  - DarkSide Ransomware
   automated_detection_testing: passed
   dataset:
   - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log

detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml

@@ -31,6 +31,7 @@ references:
 tags:
   analytic_story:
   - Ingress Tool Transfer
+  - DarkSide Ransomware
   automated_detection_testing: passed
   dataset:
   - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log

detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml

@@ -32,6 +32,7 @@ references:
 tags:
   analytic_story:
   - Ingress Tool Transfer
+  - DarkSide Ransomware
   automated_detection_testing: passed
   dataset:
   - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log

detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml

@@ -0,0 +1,48 @@
+name: CMLUA Or CMSTPLUA UAC Bypass
+id: f87b5062-b405-11eb-a889-acde48001122
+version: 1
+date: '2021-05-13'
+author: Teoderick Contreras, Splunk
+type: batch
+datamodel:
+- Endpoint
+description: This analytic detects a potential process using COM Object like CMLUA
+  or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative
+  privileges to its running process.
+search: '`sysmon` EventCode=7  ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll",
+  "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*",
+  "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime
+  by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name and imageloaded executions from your endpoints. If you
+  are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: Legitimate windows application that are not on the list loading
+  this dll. Filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1218/003/
+tags:
+  analytic_story:
+  - DarkSide Ransomware
+  - Ransomware
+  kill_chain_phases:
+  - Exploitation
+  mitre_attack_id:
+  - T1218.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Image
+  - ImageLoaded
+  - process_name
+  - Computer
+  - EventCode
+  - Signed
+  - ProcessId
+  security_domain: endpoint
+  automated_detection_testing: passed
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log

detections/endpoint/cobalt_strike_named_pipes.yml

@@ -19,7 +19,7 @@ description: 'The following analytic identifies the use of default or publicly k
   connection, review and follow the connection back to identify any file modifications.'
 search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\wkssvc*, \\DserNamePipe*,
   \\srvsvc_*, \\mojo.*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*,
-  \\ntsvcs*, \\winsock*) | stats count min(_time) as firstTime max(_time) as lastTime
+  \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime
   by Computer, process_name, process_id process_path, PipeName | rename Computer as
   dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `cobalt_strike_named_pipes_filter`'
@@ -36,10 +36,12 @@ references:
 - https://www.cobaltstrike.com/help-smb-beacon
 - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
 tags:
   analytic_story:
   - Cobalt Strike
   - Trickbot
+  - DarkSide Ransomware
   asset_type: Endpoint
   automated_detection_testing: passed
   cis20:

detections/endpoint/detect_mimikatz_using_loaded_images.yml

@@ -29,6 +29,7 @@ tags:
   - Credential Dumping
   - Detect Zerologon Attack
   - Cloud Federated Credential Abuse
+  - DarkSide Ransomware
   asset_type: Windows
   automated_detection_testing: passed
   cis20:

detections/endpoint/detect_psexec_with_accepteula_flag.yml

@@ -34,6 +34,7 @@ tags:
   - SamSam Ransomware
   - DHS Report TA18-074A
   - HAFNIUM Group
+  - DarkSide Ransomware
   asset_type: Endpoint
   automated_detection_testing: passed
   cis20:

detections/endpoint/detect_rclone_command_line_usage.yml

@@ -0,0 +1,59 @@
+name: Detect RClone Command-Line Usage
+id: 32e0baea-b3f1-11eb-a2ce-acde48001122
+version: 1
+date: '2021-05-13'
+author: Michael Haag, Splunk
+type: batch
+datamodel:
+- Endpoint
+description: This analytic identifies commonly used command-line arguments used by
+  `rclone.exe` to initiate a file transfer. Some arguments were negated as they are
+  specific to the configuration used by adversaries. In particular, an adversary may
+  list the files or directories of the remote file share using `ls` or `lsd`, which
+  is not indicative of malicious behavior. During triage, at this stage of a ransomware
+  event, exfiltration is about to occur or has already. Isolate the endpoint and continue
+  investigating by review file modifications and parallel processes.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*",
+  "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*",
+  "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*")  by
+  Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process   Processes.process_id
+  Processes.parent_process_id 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  |  `security_content_ctime(lastTime)`
+  | `detect_rclone_command_line_usage_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node.
+known_false_positives: There is potential for false positives as these arguments may
+  be used by other applications. Filter or tune the analytic as needed.
+references:
+- https://redcanary.com/blog/rclone-mega-extortion/
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+tags:
+  analytic_story:
+  - DarkSide Ransomware
+  - Ransomware
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log
+  kill_chain_phases:
+  - Exfiltration
+  mitre_attack_id:
+  - T1020
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process
+  - Processes.process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  security_domain: endpoint
+  automated_detection_testing: passed

detections/endpoint/detect_renamed_rclone.yml

@@ -0,0 +1,54 @@
+name: Detect Renamed RClone
+id: 6dca1124-b3ec-11eb-9328-acde48001122
+version: 1
+date: '2021-05-13'
+author: Michael Haag, Splunk
+type: batch
+datamodel: []
+description: The following analytic identifies the usage of `rclone.exe`, renamed,
+  being used to exfiltrate data to a remote destination. RClone has been used by multiple
+  ransomware groups to exfiltrate data. In many instances, it will be downloaded from
+  the legitimate site and executed accordingly. During triage, isolate the endpoint
+  and begin to review parallel processes for additional behavior. At this stage, the
+  adversary may have staged data to be exfiltrated.
+search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe
+  | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User,
+  parent_process_name, process_name, OriginalFileName, process_path, CommandLine |
+  rename Computer as dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `detect_renamed_rclone_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name, parent process, and command-line executions from your
+  endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
+  Sysmon TA.
+known_false_positives: False positives should be limited as this analytic identifies
+  renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business
+  use case.
+references:
+- https://redcanary.com/blog/rclone-mega-extortion/
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+tags:
+  analytic_story:
+  - DarkSide Ransomware
+  - Ransomware
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log
+  kill_chain_phases:
+  - Exfiltration
+  mitre_attack_id:
+  - T1020
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - OriginalFileName
+  - process_name
+  - process_path
+  - CommandLine
+  - dest
+  security_domain: endpoint
+  automated_detection_testing: passed

detections/endpoint/extract_sam_from_registry.yml

@@ -0,0 +1,52 @@
+name: Extract SAM from Registry
+id: 8bbb7d58-b360-11eb-ba21-acde48001122
+version: 1
+date: '2021-05-12'
+author: Michael Haag, Splunk
+type: batch
+datamodel:
+- Endpoint
+description: The following analytic identifies the use of `reg.exe` exporting Windows
+  Registry hives containing credentials. Adversaries may use this technique to export
+  registry hives for offline credential access attacks. Typically found executed from
+  a untrusted process or script. Upon execution, a file will be written to disk.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe
+  (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=*sam*
+  OR Processes.process=*system* OR Processes.process=*security*) by Processes.dest
+  Processes.user Processes.parent_process Processes.process_name Processes.process
+  Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extract_sam_from_registry_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node.
+known_false_positives: It is possible some agent based products will generate false
+  positives. Filter as needed.
+references:
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md
+tags:
+  analytic_story:
+  - DarkSide Ransomware
+  - Credential Dumping
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log
+  kill_chain_phases:
+  - Exploitation
+  mitre_attack_id:
+  - T1003.002
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process
+  - Processes.process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  security_domain: endpoint
+  automated_detection_testing: passed

detections/endpoint/ransomware_notes_bulk_creation.yml

@@ -10,11 +10,11 @@ description: The following analytics identifies a big number of instance of rans
   notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This
   behavior is a good sensor if the ransomware note filename is quite new for security
   industry or the ransomware note filename is not in your lookup table list for monitoring.
-search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") | stats
-  min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count
-  values(TargetFilename) as list_of_readme_path by Computer Image file_name | where
-  unique_readme_path_count >= 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `ransomware_notes_bulk_creation_filter`'
+search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time
+  span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename)
+  as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer
+  Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`'
 how_to_implement: You must be ingesting data that records the filesystem activity
   from your hosts to populate the Endpoint file-system data model node. If you are
   using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which
@@ -26,6 +26,7 @@ references:
 tags:
   analytic_story:
   - Clop Ransomware
+  - DarkSide Ransomware
   automated_detection_testing: passed
   dataset:
   - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log
@@ -45,4 +46,4 @@ tags:
   - Computer
   - Image
   - user
-  security_domain: endpoint
+  security_domain: endpoint

detections/endpoint/slui_runas_elevated.yml

@@ -0,0 +1,59 @@
+name: SLUI RunAs Elevated
+id: 8d124810-b3e4-11eb-96c7-acde48001122
+version: 1
+date: '2021-05-13'
+author: Michael Haag, Splunk
+type: batch
+datamodel:
+- Endpoint
+description: The following analytic identifies the Microsoft Software Licensing User
+  Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This
+  particular bypass utilizes a registry key/value. Identified by two sources, the
+  registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`.
+  To simulate this behavior, multiple POC are available. The analytic identifies the
+  use of `runas` by `slui.exe`.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe
+  (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user
+  Processes.parent_process Processes.process_name Processes.process Processes.process_id
+  Processes.parent_process_id 
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `slui_runas_elevated_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node.
+known_false_positives: Limited false positives should be present as this is not commonly
+  used by legitimate applications.
+references:
+- https://www.exploit-db.com/exploits/46998
+- https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
+- https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466
+- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/
+- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
+tags:
+  analytic_story:
+  - DarkSide Ransomware
+  - Windows Defense Evasion Tactics
+  dataset:
+  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log
+  kill_chain_phases:
+  - Exploitation
+  mitre_attack_id:
+  - T1548.002
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process
+  - Processes.process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  security_domain: endpoint
+  automated_detection_testing: passed