Branch was auto-updated.

splunk · Nov 6, 2024 · 83f00e6 · 83f00e6
2 parents b9339bc + ccd2c9d
commit 83f00e6
Show file tree

Hide file tree

Showing 16 changed files with 406 additions and 5 deletions.
diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml
@@ -69,4 +69,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
+    sourcetype: XmlWinEventLog
diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml
@@ -79,5 +79,5 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
+    sourcetype: XmlWinEventLog
     update_timestamp: true
diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml
@@ -35,6 +35,7 @@ tags:
   - Data Destruction
   - Log4Shell CVE-2021-44228
   - Phemedrone Stealer
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 70
   cve:

diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
@@ -31,6 +31,7 @@ tags:
   - CISA AA23-347A
   - Data Destruction
   - CISA AA24-241A
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 100
   impact: 80

diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml
@@ -36,6 +36,7 @@ tags:
   - Data Destruction
   - IcedID
   - MoonPeak
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 50

diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -49,6 +49,7 @@ tags:
   - Snake Keylogger
   - MoonPeak
   - BlackSuit Ransomware
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 95
   impact: 80

diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
@@ -0,0 +1,68 @@
+name: Windows Archived Collected Data In TEMP Folder
+id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
+version: 1
+date: '2024-09-24'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 11
+type: TTP
+status: production
+description: The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection.
+search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
+  where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" 
+  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
+  | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_archived_collected_data_in_temp_folder_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: unknown
+references:
+- https://x.com/suyog41/status/1825869470323056748
+- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d
+drilldown_searches:
+- name: View the detection results for "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Braodo Stealer
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: A archive file [$file_name$] was creatd in %temp% folder on [$dest$].
+  mitre_attack_id:
+  - T1560
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Filesystem.dest
+  - Filesystem.file_create_time
+  - Filesystem.file_name
+  - Filesystem.user
+  - Filesystem.file_path
+  risk_score: 64
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml
@@ -27,6 +27,7 @@ tags:
   analytic_story:
   - Snake Keylogger
   - MoonPeak
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
@@ -0,0 +1,69 @@
+name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir
+id: 4d14c86d-fdee-4393-94da-238d2706902f
+version: 1
+date: '2024-09-24'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 11
+type: TTP
+status: production
+description: The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access.
+search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
+  where Filesystem.file_name IN ("Local State", "Login Data") Filesystem.file_path = "*\\temp\\*" 
+  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
+  | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_credentials_from_password_stores_chrome_copied_in_temp_dir_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: unknown
+references:
+- https://x.com/suyog41/status/1825869470323056748
+- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d
+drilldown_searches:
+- name: View the detection results for "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Braodo Stealer
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: Chrome Password Store File [$file_name] was copied in %temp% folder on [$dest$].
+  mitre_attack_id:
+  - T1555.003
+  - T1555
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Filesystem.dest
+  - Filesystem.file_create_time
+  - Filesystem.file_name
+  - Filesystem.user
+  - Filesystem.file_path
+  risk_score: 64
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml
@@ -8,7 +8,12 @@ type: Anomaly
 data_source:
 - Windows Event Log Security 4663
 description: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
-search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`'
+search: '`wineventlog_security` EventCode=4663 
+  object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) 
+  | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_credentials_from_password_stores_chrome_extension_access_filter`'
 how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
 known_false_positives: Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.
 references:
@@ -30,6 +35,7 @@ tags:
   - RedLine Stealer
   - Phemedrone Stealer
   - MoonPeak
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
@@ -8,7 +8,12 @@ type: Anomaly
 data_source:
 - Windows Event Log Security 4663
 description: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
-search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`'
+search: '`wineventlog_security` EventCode=4663 
+  object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) 
+  | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_credentials_from_password_stores_chrome_localstate_access_filter`'
 how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
 known_false_positives: Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed.
 references:
@@ -32,6 +37,7 @@ tags:
   - Phemedrone Stealer
   - Snake Keylogger
   - MoonPeak
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
@@ -8,7 +8,12 @@ type: Anomaly
 data_source:
 - Windows Event Log Security 4663
 description: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
-search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`'
+search: '`wineventlog_security` EventCode=4663 
+  object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) 
+  | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_credentials_from_password_stores_chrome_login_data_access_filter`'
 how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
 known_false_positives: Uninstall application may access this registry to remove the entry of the target application. filter is needed.
 references:
@@ -32,6 +37,7 @@ tags:
   - Phemedrone Stealer
   - Snake Keylogger
   - MoonPeak
+  - Braodo Stealer
   asset_type: Endpoint
   confidence: 70
   impact: 70

diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml
@@ -0,0 +1,69 @@
+name: Windows Credentials from Web Browsers Saved in TEMP Folder
+id: b36b23ea-763c-417b-bd4a-6a378dabad1a
+version: 1
+date: '2024-09-24'
+author: Teoderick Contreras, Splunk
+data_sources:
+- Sysmon Event ID 11
+type: TTP
+status: production
+description: The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems.
+search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
+  where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" 
+  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
+  | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_credentials_from_web_browsers_saved_in_temp_folder_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: unknown
+references:
+- https://x.com/suyog41/status/1825869470323056748
+- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d
+drilldown_searches:
+- name: View the detection results for "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Braodo Stealer
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: A known credential file name - [$file_name$] was saved in %temp% folder of [$dest$].
+  mitre_attack_id:
+  - T1555.003
+  - T1555
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Filesystem.dest
+  - Filesystem.file_create_time
+  - Filesystem.file_name
+  - Filesystem.user
+  - Filesystem.file_path
+  risk_score: 64
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog