Merge pull request #3129 from splunk/valleyrat

valleyrat

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -47,6 +47,7 @@ tags:
   - Windows Defense Evasion Tactics
   - Data Destruction
   - WhisperGate
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 80
   impact: 80

detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml

@@ -32,6 +32,7 @@ tags:
   - DarkSide Ransomware
   - Ransomware
   - LockBit Ransomware
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 100
   impact: 80

detections/endpoint/eventvwr_uac_bypass.yml

@@ -49,6 +49,7 @@ tags:
   - IcedID
   - Living Off The Land
   - Windows Registry Abuse
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 100
   impact: 80

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -75,6 +75,7 @@ tags:
   - AcidPour
   - Handala Wiper
   - MoonPeak
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 50
   impact: 40

detections/endpoint/fodhelper_uac_bypass.yml

@@ -42,6 +42,7 @@ tags:
   analytic_story:
   - Windows Defense Evasion Tactics
   - IcedID
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 90
   impact: 90

detections/endpoint/suspicious_process_file_path.yml

@@ -80,6 +80,7 @@ tags:
   - Phemedrone Stealer
   - Handala Wiper
   - MoonPeak
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 50
   impact: 70

detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml

@@ -39,6 +39,7 @@ tags:
   - DarkGate Malware
   - CISA AA23-347A
   - PlugX
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 60
   impact: 60

detections/endpoint/windows_defender_exclusion_registry_entry.yml

@@ -37,6 +37,7 @@ tags:
   - Azorult
   - Qakbot
   - Warzone RAT
+  - ValleyRAT
   asset_type: Endpoint
   confidence: 80
   impact: 80

detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml

@@ -0,0 +1,69 @@
+name: Windows Impair Defenses Disable AV AutoStart via Registry
+id: 31a13f43-812e-4752-a6ca-c6c87bf03e83
+version: 1
+date: '2024-09-11'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 13
+type: TTP
+status: production
+description: The following analytic detects modifications to the registry related to the disabling of autostart 
+  functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter 
+  specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. 
+  By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security 
+  analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining 
+  system integrity and preventing further compromise by malicious actors.
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") 
+  AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000")
+        OR (Registry.registry_value_name = "WindhunterLevel" AND Registry.registry_value_data = "0x00000004"))
+  BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_impair_defenses_disable_av_autostart_via_registry_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: unknown
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
+- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
+tags:
+  analytic_story:
+  - ValleyRAT
+  asset_type: Endpoint
+  confidence: 100
+  impact: 90
+  message: disable anti-virus autostart via registry on [$dest$].
+  mitre_attack_id:
+  - T1112
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Registry.dest
+  - Registry.registry_value_name
+  - Registry.registry_key_name
+  - Registry.registry_path
+  - Registry.registry_value_data
+  - Registry.process_guid
+  risk_score: 90
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_modify_registry_utilize_progids.yml

@@ -0,0 +1,63 @@
+name: Windows Modify Registry Utilize ProgIDs
+id: 64fa82dd-fd11-472a-9e94-c221fffa591d
+version: 1
+date: '2024-09-18'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 13
+type: Anomaly
+status: production
+description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)"
+  BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_modify_registry_utilize_progids_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: unknown
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
+- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
+- https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
+tags:
+  analytic_story:
+  - ValleyRAT
+  asset_type: Endpoint
+  confidence: 70
+  impact: 70
+  message: A possible ValleyRAT Registry modification in [$dest$].
+  mitre_attack_id:
+  - T1112
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Registry.dest
+  - Registry.registry_value_name
+  - Registry.registry_key_name
+  - Registry.registry_path
+  - Registry.registry_value_data
+  - Registry.process_guid
+  risk_score: 49
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml

@@ -0,0 +1,68 @@
+name: Windows Modify Registry ValleyRAT C2 Config
+id: ac59298a-8d81-4c02-8c9b-ffdac993891f
+version: 1
+date: '2024-09-11'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon EventID 12 
+- Sysmon EventID 13
+type: TTP
+status: production
+description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, 
+  it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. 
+  This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. 
+  By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and 
+  investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s 
+  ability to exfiltrate data or control infected systems.
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe")
+  BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_modify_registry_valleyrat_c2_config_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: unknown
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
+- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
+tags:
+  analytic_story:
+  - ValleyRAT
+  asset_type: Endpoint
+  confidence: 100
+  impact: 90
+  message: A possible ValleyRAT Registry modification in [$dest$].
+  mitre_attack_id:
+  - T1112
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Registry.dest
+  - Registry.registry_value_name
+  - Registry.registry_key_name
+  - Registry.registry_path
+  - Registry.registry_value_data
+  - Registry.process_guid
+  risk_score: 90
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml

@@ -0,0 +1,62 @@
+name: Windows Modify Registry ValleyRat PWN Reg Entry
+id: 6947c44e-be1f-4dd9-b198-bc42be5be196
+version: 1
+date: '2024-09-11'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 13
+type: TTP
+status: production
+description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") 
+  BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
+  | `drop_dm_object_name(Registry)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: unknown
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
+- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
+tags:
+  analytic_story:
+  - ValleyRAT
+  asset_type: Endpoint
+  confidence: 100
+  impact: 90
+  message: A possible ValleyRAT Registry modification in [$dest$].
+  mitre_attack_id:
+  - T1112
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Registry.dest
+  - Registry.registry_value_name
+  - Registry.registry_key_name
+  - Registry.registry_path
+  - Registry.registry_value_data
+  - Registry.process_guid
+  risk_score: 90
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_schedule_task_dll_module_loaded.yml

@@ -0,0 +1,64 @@
+name: Windows Schedule Task DLL Module Loaded
+id: bc5b2304-f241-419b-874a-e927f667b7b6
+version: 1
+date: '2024-09-11'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 7
+type: TTP
+status: production
+description: The following analytic detects instances where the taskschd.dll is loaded by processes running in 
+  suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll 
+  typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from 
+  writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying 
+  processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially 
+  malicious activity and investigate further to prevent unauthorized system modifications.
+search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", 
+  "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*")
+  ImageLoaded = "*\\taskschd.dll" 
+  | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_schedule_task_dll_module_loaded_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name and imageloaded executions from your endpoints. If you
+  are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: Third party Legitimate application may load this task schedule dll module.
+references:
+- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
+- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
+tags:
+  analytic_story:
+  - ValleyRAT
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$]
+  mitre_attack_id:
+  - T1053
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Image
+  - ImageLoaded
+  - process_name
+  - dest
+  - EventCode
+  - Signed
+  - ProcessId
+  risk_score: 64
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog