From fd2896676618e20055ae748f97dbd408afafe29e Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 17 Sep 2024 09:47:33 +0200 Subject: [PATCH 1/6] valleyrat --- .../add_or_set_windows_defender_exclusion.yml | 1 + .../endpoint/cmlua_or_cmstplua_uac_bypass.yml | 1 + detections/endpoint/eventvwr_uac_bypass.yml | 1 + ..._or_script_creation_in_suspicious_path.yml | 1 + detections/endpoint/fodhelper_uac_bypass.yml | 1 + .../endpoint/suspicious_process_file_path.yml | 1 + ...ss_token_manipulation_sedebugprivilege.yml | 1 + ...dows_defender_exclusion_registry_entry.yml | 1 + ...ws_task_scheduler_event_action_started.yml | 1 + stories/valleyrat.yml | 19 +++++++++++++++++++ 10 files changed, 28 insertions(+) create mode 100644 stories/valleyrat.yml diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index 82a65ac702..bdcb476131 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -47,6 +47,7 @@ tags: - Windows Defense Evasion Tactics - Data Destruction - WhisperGate + - ValleyRAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index e578c0bcd9..92fe898687 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -32,6 +32,7 @@ tags: - DarkSide Ransomware - Ransomware - LockBit Ransomware + - ValleyRAT asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 1fa34580aa..4e28791c3c 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -49,6 +49,7 @@ tags: - IcedID - Living Off The Land - Windows Registry Abuse + - ValleyRAT asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 50cad7d63d..09e2f24d47 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -75,6 +75,7 @@ tags: - AcidPour - Handala Wiper - MoonPeak + - ValleyRAT asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 036d21325a..8b21b747d4 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -42,6 +42,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - IcedID + - ValleyRAT asset_type: Endpoint confidence: 90 impact: 90 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 980e515d27..efdb4fe588 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -80,6 +80,7 @@ tags: - Phemedrone Stealer - Handala Wiper - MoonPeak + - ValleyRAT asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 36a82e515d..ff1fe33c90 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -39,6 +39,7 @@ tags: - DarkGate Malware - CISA AA23-347A - PlugX + - ValleyRAT asset_type: Endpoint confidence: 60 impact: 60 diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index f2c43428c9..c8dd16f139 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -37,6 +37,7 @@ tags: - Azorult - Qakbot - Warzone RAT + - ValleyRAT asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 88fa866077..df5bc7bc98 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -46,6 +46,7 @@ tags: - Scheduled Tasks - CISA AA24-241A - BlackSuit Ransomware + - ValleyRAT asset_type: Endpoint confidence: 100 impact: 80 diff --git a/stories/valleyrat.yml b/stories/valleyrat.yml new file mode 100644 index 0000000000..a53d866238 --- /dev/null +++ b/stories/valleyrat.yml @@ -0,0 +1,19 @@ +name: ValleyRAT +id: e9703322-5462-4c4a-a427-b9895c1472de +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might be related to ValleyRAT malware. ValleyRAT is a remote access trojan (RAT) known for targeting specific organizations and individuals to gain unauthorized access to systems. It enables attackers to execute commands, steal sensitive data, and manipulate files. This malware often uses phishing emails or malicious attachments to infect systems. Detecting ValleyRAT early is crucial to preventing data breaches and further exploitation. Analysts can use behavioral analysis and signature-based detection to mitigate its impact. +narrative: ValleyRAT is a stealthy remote access trojan (RAT) used by cybercriminals to gain unauthorized control over compromised systems. It often infiltrates targets through phishing emails or malicious attachments, allowing attackers to execute commands, steal sensitive information, manipulate files, and monitor user activities remotely. Once inside, ValleyRAT can evade detection by blending in with legitimate processes, making it challenging to identify. +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + category: + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From d1a8e40b995b5adc344250db6d38198cb5d35ad6 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 18 Sep 2024 11:45:50 +0200 Subject: [PATCH 2/6] valleyrat --- ...indows_modify_registry_utilize_progids.yml | 64 +++++++++++++++++++ ...odify_registry_valleyrat_pwn_reg_entry.yml | 63 ++++++++++++++++++ ...tasks_for_compmgmtlauncher_or_eventvwr.yml | 57 +++++++++++++++++ 3 files changed, 184 insertions(+) create mode 100644 detections/endpoint/windows_modify_registry_utilize_progids.yml create mode 100644 detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml create mode 100644 detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml new file mode 100644 index 0000000000..f4b29cf0e7 --- /dev/null +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -0,0 +1,64 @@ +name: Windows Modify Registry Utilize ProgIDs +id: 64fa82dd-fd11-472a-9e94-c221fffa591d +version: 1 +date: '2024-09-18' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 13 +type: Anomaly +status: production +description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. +kind: endpoint +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_modify_registry_utilize_progids_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: unknown +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +- https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 70 + impact: 70 + message: A possible ValleyRAT Registry modification in [$dest$]. + mitre_attack_id: + - T1112 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 49 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml new file mode 100644 index 0000000000..9dcf0ec2f1 --- /dev/null +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -0,0 +1,63 @@ +name: Windows Modify Registry ValleyRat PWN Reg Entry +id: 6947c44e-be1f-4dd9-b198-bc42be5be196 +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 13 +type: TTP +status: production +description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. +kind: endpoint +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_modify_registry_valleyrat_pwn_reg_entry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: unknown +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 100 + impact: 90 + message: A possible ValleyRAT Registry modification in [$dest$]. + mitre_attack_id: + - T1112 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml new file mode 100644 index 0000000000..f125b4afb6 --- /dev/null +++ b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -0,0 +1,57 @@ +name: Windows Schedule Tasks for CompMgmtLauncher or Eventvwr +id: feb43b86-8c38-46cd-865e-20ce8a96c26c +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +data_sources: +- Windows Security 4698 +type: TTP +status: production +description: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats. +kind: endpoint +search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" OR + TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" OR + TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*" + | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml TaskContent TaskName + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well + as the URL ToolBox application are also required. +known_false_positives: unknown +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A schedule task created for CompMgmtLauncher or Eventvwr on [$dest$]. + mitre_attack_id: + - T1053 + observable: + - name: dest + type: Endpoint + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - dest + - action + - EventData_Xml + - TaskContent + - TaskName + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.log + source: WinEventLog:Security + sourcetype: WinEventLog From 27e28cdf7ef8914a051ed6229f5d8ee5903100f4 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 18 Sep 2024 15:00:54 +0200 Subject: [PATCH 3/6] valleyrat --- ...indows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml index f125b4afb6..b8d3d9dc7f 100644 --- a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -53,5 +53,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.log - source: WinEventLog:Security - sourcetype: WinEventLog + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog From 3101ca12027abe51770867ce7495cf17ca2ad2d8 Mon Sep 17 00:00:00 2001 From: tccontre Date: Thu, 19 Sep 2024 11:19:16 +0200 Subject: [PATCH 4/6] valleyrat --- ...nses_disable_av_autostart_via_registry.yml | 70 +++++++++++++++++++ ...ws_modify_registry_valleyrat_c2_config.yml | 69 ++++++++++++++++++ ...indows_schedule_task_dll_module_loaded.yml | 65 +++++++++++++++++ 3 files changed, 204 insertions(+) create mode 100644 detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml create mode 100644 detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml create mode 100644 detections/endpoint/windows_schedule_task_dll_module_loaded.yml diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml new file mode 100644 index 0000000000..740048e4a4 --- /dev/null +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -0,0 +1,70 @@ +name: Windows Impair Defenses Disable AV AutoStart via Registry +id: 31a13f43-812e-4752-a6ca-c6c87bf03e83 +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 13 +type: TTP +status: production +description: The following analytic detects modifications to the registry related to the disabling of autostart + functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter + specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. + By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security + analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining + system integrity and preventing further compromise by malicious actors. +kind: endpoint +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") + AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000") + OR (Registry.registry_value_name = "WindhunterLevel" AND Registry.registry_value_data = "0x00000004")) + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_impair_defenses_disable_av_autostart_via_registry_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: unknown +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 100 + impact: 90 + message: disable anti-virus autostart via registry on [$dest$]. + mitre_attack_id: + - T1112 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml new file mode 100644 index 0000000000..5812d7f621 --- /dev/null +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -0,0 +1,69 @@ +name: Windows Modify Registry ValleyRAT C2 Config +id: ac59298a-8d81-4c02-8c9b-ffdac993891f +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon EventID 12 +- Sysmon EventID 13 +type: TTP +status: production +description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, + it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. + This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. + By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and + investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s + ability to exfiltrate data or control infected systems. +kind: endpoint +search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry + WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe") + BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_modify_registry_valleyrat_c2_config_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the registry value name, registry path, and registry value data from your + endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + Sysmon TA. https://splunkbase.splunk.com/app/5709 +known_false_positives: unknown +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 100 + impact: 90 + message: A possible ValleyRAT Registry modification in [$dest$]. + mitre_attack_id: + - T1112 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.dest + - Registry.registry_value_name + - Registry.registry_key_name + - Registry.registry_path + - Registry.registry_value_data + - Registry.process_guid + risk_score: 90 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_schedule_task_dll_module_loaded.yml b/detections/endpoint/windows_schedule_task_dll_module_loaded.yml new file mode 100644 index 0000000000..a0a70f2459 --- /dev/null +++ b/detections/endpoint/windows_schedule_task_dll_module_loaded.yml @@ -0,0 +1,65 @@ +name: Windows Schedule Task DLL Module Loaded +id: bc5b2304-f241-419b-874a-e927f667b7b6 +version: 1 +date: '2024-09-11' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 7 +type: TTP +status: production +description: The following analytic detects instances where the taskschd.dll is loaded by processes running in + suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll + typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from + writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying + processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially + malicious activity and investigate further to prevent unauthorized system modifications. +kind: endpoint +search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", + "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") + ImageLoaded = "*\\taskschd.dll" + | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_schedule_task_dll_module_loaded_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: Third party Legitimate application may load this task schedule dll module. +references: +- https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape +- https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers +tags: + analytic_story: + - ValleyRAT + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$] + mitre_attack_id: + - T1053 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Image + - ImageLoaded + - process_name + - dest + - EventCode + - Signed + - ProcessId + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog From 6e4ae3df95b89b2662688c5d881fdccb4f75294d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 24 Sep 2024 19:45:07 +0530 Subject: [PATCH 5/6] remove kind --- .../endpoint/windows_modify_registry_valleyrat_c2_config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index 5812d7f621..b6b46bc824 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -14,7 +14,6 @@ description: The following analytic detects modifications to registry related to By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s ability to exfiltrate data or control infected systems. -kind: endpoint search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Console\\IpDateInfo" AND Registry.registry_value_data="Binary Data") OR (Registry.registry_path= "*\\Console\\SelfPath" AND Registry.registry_value_data="*.exe") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.registry_hive Registry.process_guid From 90533f8123ed623e896c6c8b079a18f555efb8f9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 24 Sep 2024 19:51:40 +0530 Subject: [PATCH 6/6] remove kind --- ...windows_impair_defenses_disable_av_autostart_via_registry.yml | 1 - detections/endpoint/windows_modify_registry_utilize_progids.yml | 1 - .../endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml | 1 - detections/endpoint/windows_schedule_task_dll_module_loaded.yml | 1 - .../windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 740048e4a4..061bbf8ad5 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -13,7 +13,6 @@ description: The following analytic detects modifications to the registry relate By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors. -kind: endpoint search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN("*\\kingsoft\\antivirus\\KAVReport\\*" , "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*" ,"*\\Tencent\\QQPCMgr\\*") AND ((Registry.registry_value_name IN("autostart","kxesc", "WindhunterSwitch") AND Registry.registry_value_data = "0x00000000") diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index f4b29cf0e7..3f6ac59418 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -8,7 +8,6 @@ data_sources: type: Anomaly status: production description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. -kind: endpoint search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index 9dcf0ec2f1..3259ae11a8 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects modifications to the Windows Registry specifically targeting `.pwn` file associations related to the ValleyRAT malware. ValleyRAT may create or alter registry entries to associate `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to `.pwn` extensions, this detection enables security analysts to identify potential ValleyRAT infection attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. -kind: endpoint search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*.pwn\\Shell\\Open\\command" OR Registry.registry_value_data = ".pwn") BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid diff --git a/detections/endpoint/windows_schedule_task_dll_module_loaded.yml b/detections/endpoint/windows_schedule_task_dll_module_loaded.yml index a0a70f2459..1fb56b4337 100644 --- a/detections/endpoint/windows_schedule_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_schedule_task_dll_module_loaded.yml @@ -13,7 +13,6 @@ description: The following analytic detects instances where the taskschd.dll is writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially malicious activity and investigate further to prevent unauthorized system modifications. -kind: endpoint search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") ImageLoaded = "*\\taskschd.dll" diff --git a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml index b8d3d9dc7f..2760c374fc 100644 --- a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats. -kind: endpoint search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*"