-
Notifications
You must be signed in to change notification settings - Fork 353
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3129 from splunk/valleyrat
valleyrat
- Loading branch information
Showing
16 changed files
with
410 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,6 +37,7 @@ tags: | |
- Azorult | ||
- Qakbot | ||
- Warzone RAT | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 80 | ||
impact: 80 | ||
|
69 changes: 69 additions & 0 deletions
69
detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
name: Windows Impair Defenses Disable AV AutoStart via Registry | ||
id: 31a13f43-812e-4752-a6ca-c6c87bf03e83 | ||
version: 1 | ||
date: '2024-09-11' | ||
author: Teoderick Contreras, Splunk | ||
data_sources: | ||
- Sysmon Event ID 13 | ||
type: TTP | ||
status: production | ||
description: The following analytic detects modifications to the registry related to the disabling of autostart | ||
functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter | ||
specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. | ||
By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security | ||
analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining | ||
system integrity and preventing further compromise by malicious actors. | ||
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry | ||
WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") | ||
AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000") | ||
OR (Registry.registry_value_name = "WindhunterLevel" AND Registry.registry_value_data = "0x00000004")) | ||
BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid | ||
| `drop_dm_object_name(Registry)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `windows_impair_defenses_disable_av_autostart_via_registry_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the registry value name, registry path, and registry value data from your | ||
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical | ||
Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
known_false_positives: unknown | ||
references: | ||
- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape | ||
- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers | ||
tags: | ||
analytic_story: | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 100 | ||
impact: 90 | ||
message: disable anti-virus autostart via registry on [$dest$]. | ||
mitre_attack_id: | ||
- T1112 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- Registry.dest | ||
- Registry.registry_value_name | ||
- Registry.registry_key_name | ||
- Registry.registry_path | ||
- Registry.registry_value_data | ||
- Registry.process_guid | ||
risk_score: 90 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log | ||
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
sourcetype: xmlwineventlog |
63 changes: 63 additions & 0 deletions
63
detections/endpoint/windows_modify_registry_utilize_progids.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
name: Windows Modify Registry Utilize ProgIDs | ||
id: 64fa82dd-fd11-472a-9e94-c221fffa591d | ||
version: 1 | ||
date: '2024-09-18' | ||
author: Teoderick Contreras, Splunk | ||
data_sources: | ||
- Sysmon Event ID 13 | ||
type: Anomaly | ||
status: production | ||
description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. | ||
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry | ||
WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" | ||
BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | ||
| `drop_dm_object_name(Registry)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `windows_modify_registry_utilize_progids_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the registry value name, registry path, and registry value data from your | ||
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical | ||
Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
known_false_positives: unknown | ||
references: | ||
- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape | ||
- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers | ||
- https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses | ||
tags: | ||
analytic_story: | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 70 | ||
impact: 70 | ||
message: A possible ValleyRAT Registry modification in [$dest$]. | ||
mitre_attack_id: | ||
- T1112 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- Registry.dest | ||
- Registry.registry_value_name | ||
- Registry.registry_key_name | ||
- Registry.registry_path | ||
- Registry.registry_value_data | ||
- Registry.process_guid | ||
risk_score: 49 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log | ||
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
sourcetype: xmlwineventlog |
68 changes: 68 additions & 0 deletions
68
detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: Windows Modify Registry ValleyRAT C2 Config | ||
id: ac59298a-8d81-4c02-8c9b-ffdac993891f | ||
version: 1 | ||
date: '2024-09-11' | ||
author: Teoderick Contreras, Splunk | ||
data_sources: | ||
- Sysmon EventID 12 | ||
- Sysmon EventID 13 | ||
type: TTP | ||
status: production | ||
description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, | ||
it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. | ||
This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. | ||
By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and | ||
investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s | ||
ability to exfiltrate data or control infected systems. | ||
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry | ||
WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe") | ||
BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid | ||
| `drop_dm_object_name(Registry)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `windows_modify_registry_valleyrat_c2_config_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the registry value name, registry path, and registry value data from your | ||
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical | ||
Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
known_false_positives: unknown | ||
references: | ||
- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape | ||
- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers | ||
tags: | ||
analytic_story: | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 100 | ||
impact: 90 | ||
message: A possible ValleyRAT Registry modification in [$dest$]. | ||
mitre_attack_id: | ||
- T1112 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- Registry.dest | ||
- Registry.registry_value_name | ||
- Registry.registry_key_name | ||
- Registry.registry_path | ||
- Registry.registry_value_data | ||
- Registry.process_guid | ||
risk_score: 90 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log | ||
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
sourcetype: xmlwineventlog |
62 changes: 62 additions & 0 deletions
62
detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
name: Windows Modify Registry ValleyRat PWN Reg Entry | ||
id: 6947c44e-be1f-4dd9-b198-bc42be5be196 | ||
version: 1 | ||
date: '2024-09-11' | ||
author: Teoderick Contreras, Splunk | ||
data_sources: | ||
- Sysmon Event ID 13 | ||
type: TTP | ||
status: production | ||
description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. | ||
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry | ||
WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") | ||
BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | ||
| `drop_dm_object_name(Registry)` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the registry value name, registry path, and registry value data from your | ||
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical | ||
Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
known_false_positives: unknown | ||
references: | ||
- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape | ||
- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers | ||
tags: | ||
analytic_story: | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 100 | ||
impact: 90 | ||
message: A possible ValleyRAT Registry modification in [$dest$]. | ||
mitre_attack_id: | ||
- T1112 | ||
observable: | ||
- name: user | ||
type: User | ||
role: | ||
- Victim | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- Registry.dest | ||
- Registry.registry_value_name | ||
- Registry.registry_key_name | ||
- Registry.registry_path | ||
- Registry.registry_value_data | ||
- Registry.process_guid | ||
risk_score: 90 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log | ||
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
sourcetype: xmlwineventlog |
64 changes: 64 additions & 0 deletions
64
detections/endpoint/windows_schedule_task_dll_module_loaded.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Windows Schedule Task DLL Module Loaded | ||
id: bc5b2304-f241-419b-874a-e927f667b7b6 | ||
version: 1 | ||
date: '2024-09-11' | ||
author: Teoderick Contreras, Splunk | ||
data_sources: | ||
- Sysmon Event ID 7 | ||
type: TTP | ||
status: production | ||
description: The following analytic detects instances where the taskschd.dll is loaded by processes running in | ||
suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll | ||
typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from | ||
writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying | ||
processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially | ||
malicious activity and investigate further to prevent unauthorized system modifications. | ||
search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", | ||
"*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") | ||
ImageLoaded = "*\\taskschd.dll" | ||
| stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | ||
| `windows_schedule_task_dll_module_loaded_filter`' | ||
how_to_implement: To successfully implement this search, you need to be ingesting | ||
logs with the process name and imageloaded executions from your endpoints. If you | ||
are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. | ||
known_false_positives: Third party Legitimate application may load this task schedule dll module. | ||
references: | ||
- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape | ||
- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers | ||
tags: | ||
analytic_story: | ||
- ValleyRAT | ||
asset_type: Endpoint | ||
confidence: 80 | ||
impact: 80 | ||
message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$] | ||
mitre_attack_id: | ||
- T1053 | ||
observable: | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
required_fields: | ||
- _time | ||
- Image | ||
- ImageLoaded | ||
- process_name | ||
- dest | ||
- EventCode | ||
- Signed | ||
- ProcessId | ||
risk_score: 64 | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log | ||
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
sourcetype: xmlwineventlog |
Oops, something went wrong.