Merge pull request #3203 from splunk/lumma

Haaglumination

detections/application/detect_distributed_password_spray_attempts.yml

@@ -76,7 +76,7 @@ tags:
   - Authentication.user
   - Authentication.src
   security_domain: access
-  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detection.
 tests:
 - name: True Positive Test
   attack_data:

detections/application/detect_password_spray_attempts.yml

@@ -1,6 +1,6 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 3
+version: 4
 date: '2024-10-17'
 author: Dean Luxton
 status: production
@@ -41,7 +41,7 @@ how_to_implement: >-
   Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. 
   Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
 
-  This search opporates best on a 5 minute schedule, looking back over the past 70 minutes. 
+  This search operates best on a 5 minute schedule, looking back over the past 70 minutes. 
   Configure 70 minute throttling on the two fields _time and counter. 
 known_false_positives: Unknown
 references:

detections/endpoint/detect_mshta_url_in_command_line.yml

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2024-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -17,6 +17,8 @@ references:
 - https://github.com/redcanaryco/AtomicTestHarnesses
 - https://redcanary.com/blog/introducing-atomictestharnesses/
 - https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing
+- https://denwp.com/dissecting-lumma-malware/
+- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
 drilldown_searches:
 - name: View the detection results for - "$user$" and "$dest$"
   search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
@@ -30,6 +32,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 100
   impact: 80

detections/endpoint/malicious_powershell_process___encoded_command.yml

@@ -1,6 +1,6 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 10
+version: 11
 date: '2024-10-17'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
@@ -32,10 +32,11 @@ tags:
   - Sandworm Tools
   - Data Destruction
   - Volt Typhoon
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 70
-  message: Powershell.exe running potentially malicious encodede commands on $dest$
+  message: Powershell.exe running potentially malicious encoded commands on $dest$
   mitre_attack_id:
   - T1027
   observable:

detections/endpoint/powershell_4104_hunting.yml

@@ -1,6 +1,6 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 6
+version: 7
 date: '2024-10-17'
 author: Michael Haag, Splunk
 status: production
@@ -32,6 +32,7 @@ tags:
   - Data Destruction
   - CISA AA24-241A
   - Braodo Stealer
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 100
   impact: 80

detections/endpoint/suspicious_mshta_child_process.yml

@@ -1,6 +1,6 @@
 name: Suspicious mshta child process
 id: 60023bb6-5500-11eb-ae93-0242ac130002
-version: 4
+version: 5
 date: '2024-09-30'
 author: Michael Haag, Splunk
 status: production
@@ -29,6 +29,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 50

detections/endpoint/windows_bitlockertogo_process_execution.yml

@@ -0,0 +1,54 @@
+name: Windows BitLockerToGo Process Execution
+id: 68cbc9e9-2882-46f2-b636-3b5080589d58
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+data_sources:
+- Sysmon Event ID 1
+- Windows Event Log Security 4688
+type: Hunting
+status: production
+description: The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitlockertogo.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_process_execution_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, monitor for usage of BitLockerToGo.exe in your environment, tune as needed. If BitLockerToGo.exe is not used in your environment, move to TTP.
+references:
+- https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
+tags:
+  analytic_story:
+  - Lumma Stealer 
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: BitLockerToGo.exe was executed on $dest$ by $user$.
+  mitre_attack_id:
+  - T1218
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Processes.process_name
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  risk_score: 70
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_bitlockertogo_with_network_activity.yml

@@ -0,0 +1,52 @@
+name: Windows BitLockerToGo with Network Activity
+id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+data_sources:
+- Sysmon Event ID 22
+type: Hunting
+status: production
+description: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.
+search: '`sysmon` EventCode=22 process_name="bitlockertogo.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_with_network_activity_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. 
+known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, the detection is designed to flag unusual execution patterns that deviate from standard usage. Filtering may be required to reduce false positives, once confirmed - move to TTP.
+references:
+- https://any.run/report/5e9ba24639f70787e56f10a241271ae819ef9c573edb22b9eeade7cb40a2df2a/66f16c7b-2cfc-40c5-91cc-f1cbe9743fa3
+- https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
+tags:
+  analytic_story:
+  - Lumma Stealer
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: BitLockerToGo.exe was executed with network activity on $dest$.
+  mitre_attack_id:
+  - T1218
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - process_name
+  - process_guid
+  - Computer
+  - query
+  - answer
+  - QueryResults
+  - QueryStatus
+  - dest
+  risk_score: 70
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_runmru_command_execution.yml

@@ -0,0 +1,72 @@
+name: Windows RunMRU Command Execution
+id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
+version: 1
+date: '2024-11-08'
+author: Nasreddine Bencherchali, Michael Haag, Splunk
+data_sources:
+- Sysmon Event ID 11
+- Sysmon Event ID 13
+type: Anomaly
+status: production
+description: The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" NOT Registry.registry_key_name="*\\MRUList" by Registry.dest Registry.registry_value_data Registry.action  Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Registry` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: This detection may generate a few false positives, such as legitimate software updates or legitimate system maintenance activities that modify the RunMRU key. However, the exclusion of MRUList value changes helps reduce the number of false positives by focusing only on actual command entries. Add any specific false positives to the built in filter to reduce notables as needed.
+references:
+- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
+- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+- https://www.forensafe.com/blogs/runmrukey.html
+- https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Lumma Stealer
+  asset_type: Endpoint
+  confidence: 60
+  impact: 80
+  message: An instance of $registry_value_data$ was identified on endpoint $dest$ by user $user$ attempting to execute a command through the Run dialog box.
+  mitre_attack_id:
+  - T1202
+  observable:
+  - name: registry_value_data
+    type: Registry Value
+    role:
+    - Attacker
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Registry.dest
+  - Registry.registry_value_data 
+  - Registry.action
+  - Registry.process_guid
+  - Registry.process_id
+  - Registry.registry_key_name
+  - Registry.user
+  risk_score: 80
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

stories/lumma_stealer.yml

@@ -0,0 +1,34 @@
+name: Lumma Stealer
+id: 6c8f76f6-1272-4c0e-afbd-5a9f58947fa5
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+description: Lumma Stealer is a sophisticated information-stealing malware that has been operating as a Malware-as-a-Service (MaaS) platform since 2022. Recent campaigns in 2024 have shown increased sophistication in distribution methods, particularly through fake CAPTCHA verification pages, cracked game downloads, and phishing emails targeting GitHub users. The malware is designed to steal sensitive information including browser credentials, cryptocurrency wallet data, and password manager archives.
+narrative: As of late 2024, Lumma Stealer has emerged as one of the most prominent information stealers in the threat landscape, employing increasingly sophisticated distribution techniques. The malware's primary infection vector involves a deceptive CAPTCHA campaign where attackers create convincing phishing sites featuring fake Google CAPTCHA verification pages. When users interact with these pages by clicking "I'm not a robot," malicious code is automatically copied to their clipboard. Users are then socially engineered to paste this code into the Windows Run dialog (Win+R), triggering PowerShell commands that download and execute the Lumma Stealer payload. /
+
+    The malware's distribution infrastructure is highly sophisticated, leveraging various hosting platforms including Amazon S3 buckets and Content Delivery Networks (CDNs). To evade detection, the operators employ multiple obfuscation techniques, including base64 encoding and clipboard manipulation. The malware is frequently distributed through malvertising campaigns on adult sites, file-sharing services, betting platforms, and anime websites. /
+
+    Recent intelligence has revealed several concerning developments in Lumma Stealer's operations. The malware has been observed working in conjunction with other threat families, notably the Amadey botnet, expanding its reach and capabilities. Its geographic targeting has broadened, with significant activity reported in Brazil, Spain, Italy, and Russia. The threat actors behind Lumma have also demonstrated increased prowess in social engineering, making it one of the top-ranked malware threats in recent global threat indexes. /
+
+    Effective detection strategies should focus on monitoring PowerShell execution patterns, suspicious Run dialog usage, and unauthorized access attempts to credential stores and cryptocurrency wallets. Organizations should implement comprehensive monitoring of these attack vectors to detect and respond to Lumma Stealer campaigns effectively.
+references:
+    - https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
+    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+    - https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
+    - https://www.bleepingcomputer.com/news/security/clever-github-scanner-campaign-abusing-repos-to-push-malware/
+    - https://www.trendmicro.com/en_us/research/23/j/beware-lumma-stealer-distributed-via-discord-cdn-.html
+    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
+    - https://www.forensafe.com/blogs/runmrukey.html
+    - https://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/
+    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
+    - https://denwp.com/dissecting-lumma-malware/
+    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []