From cfb5a6bca3de8dbc747ae1170985000c1ca50666 Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 15 Oct 2024 11:34:59 +0200 Subject: [PATCH 1/7] braodo_stealer --- .../endpoint/any_powershell_downloadfile.yml | 1 + .../endpoint/powershell_4104_hunting.yml | 1 + .../powershell_processing_stream_of_data.yml | 1 + .../registry_keys_used_for_persistence.yml | 1 + ...ial_access_from_browser_password_store.yml | 1 + ...assword_stores_chrome_extension_access.yml | 1 + ...ssword_stores_chrome_localstate_access.yml | 1 + ...ssword_stores_chrome_login_data_access.yml | 1 + stories/braodo_stealer.yml | 20 +++++++++++++++++++ 9 files changed, 28 insertions(+) create mode 100644 stories/braodo_stealer.yml diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index c76c357157..d5d3a69b5a 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -48,6 +48,7 @@ tags: - Data Destruction - Log4Shell CVE-2021-44228 - Phemedrone Stealer + - Braodo Stealer asset_type: Endpoint confidence: 70 cve: diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 7ac3ab7592..d30cb5b48b 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -67,6 +67,7 @@ tags: - CISA AA23-347A - Data Destruction - CISA AA24-241A + - Braodo Stealer asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 6d990382d2..9bf34fdc87 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -38,6 +38,7 @@ tags: - Data Destruction - IcedID - MoonPeak + - Braodo Stealer asset_type: Endpoint confidence: 80 impact: 50 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 6ee57a7b99..243ea110e9 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -78,6 +78,7 @@ tags: - Snake Keylogger - MoonPeak - BlackSuit Ransomware + - Braodo Stealer asset_type: Endpoint confidence: 95 impact: 80 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 8ea72e0b43..36b930ca7c 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -37,6 +37,7 @@ tags: analytic_story: - Snake Keylogger - MoonPeak + - Braodo Stealer asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 2231bf6cc5..4dafa06603 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -36,6 +36,7 @@ tags: - RedLine Stealer - Phemedrone Stealer - MoonPeak + - Braodo Stealer asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 4600477107..31495f36f9 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -37,6 +37,7 @@ tags: - Phemedrone Stealer - Snake Keylogger - MoonPeak + - Braodo Stealer asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 98e4cefe66..9f96cd7ddf 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -38,6 +38,7 @@ tags: - Phemedrone Stealer - Snake Keylogger - MoonPeak + - Braodo Stealer asset_type: Endpoint confidence: 70 impact: 70 diff --git a/stories/braodo_stealer.yml b/stories/braodo_stealer.yml new file mode 100644 index 0000000000..ace9139920 --- /dev/null +++ b/stories/braodo_stealer.yml @@ -0,0 +1,20 @@ +name: Braodo Stealer +id: ec5c8721-3c13-45ac-90e8-64c63a8fdc24 +version: 1 +date: '2024-11-24' +author: Teoderick Contreras, Splunk +description: Leverage searches that allow you to detect and investigate unusual activities that may be related to the Braodo Stealer malware, a malicious software designed to steal sensitive information from infected systems. This malware typically targets login credentials, browser history, cookies, and stored passwords. Braodo Stealer often infiltrates through phishing campaigns or malicious downloads, enabling attackers to gain unauthorized access to personal and financial data. By monitoring unusual system behaviors, such as unauthorized network connections or data exfiltration, you can help prevent data breaches and mitigate the impact of this threat. +narrative: Braodo Stealer is a stealthy and dangerous piece of malware specifically engineered to siphon sensitive information from compromised systems. Often spread through phishing emails or disguised as legitimate downloads, it silently infiltrates a victim’s device. Once inside, it scours through browser histories, steals login credentials, captures cookies, and even extracts saved passwords from various applications. With this stolen data, cybercriminals can gain access to banking accounts, social media profiles, or business platforms. What makes Braodo Stealer particularly threatening is its ability to remain undetected, allowing attackers to exploit compromised systems for extended periods before the user becomes aware. +references: +- https://bazaar.abuse.ch/browse/tag/Braodo/ +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 05f35f56982771202a95ade127aa6d7de20b11a0 Mon Sep 17 00:00:00 2001 From: tccontre Date: Fri, 18 Oct 2024 10:49:08 +0200 Subject: [PATCH 2/7] braodo_stealer --- ...archived_collected_data_in_temp_folder.yml | 60 +++++++++++++++ ...rd_stores_chrome_copied_in_temp_folder.yml | 61 +++++++++++++++ ...from_web_browsers_saved_in_temp_folder.yml | 61 +++++++++++++++ ...indows_disable_or_stop_browser_process.yml | 76 +++++++++++++++++++ .../windows_screen_capture_in_temp_folder.yml | 60 +++++++++++++++ 5 files changed, 318 insertions(+) create mode 100644 detections/endpoint/windows_archived_collected_data_in_temp_folder.yml create mode 100644 detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml create mode 100644 detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml create mode 100644 detections/endpoint/windows_disable_or_stop_browser_process.yml create mode 100644 detections/endpoint/windows_screen_capture_in_temp_folder.yml diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml new file mode 100644 index 0000000000..c1cb4c68b6 --- /dev/null +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -0,0 +1,60 @@ +name: Windows Archived Collected Data In TEMP Folder +id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe +version: 1 +date: '2024-09-24' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 11 +type: TTP +status: production +description: The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection. +kind: endpoint +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" + by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_archived_collected_data_in_temp_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: unknown +references: +- https://x.com/suyog41/status/1825869470323056748 +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + analytic_story: + - Braodo Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A archive file [$file_name$] was creatd in %temp% folder on [$dest$]. + mitre_attack_id: + - T1560 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Filesystem.dest + - Filesystem.file_create_time + - Filesystem.file_name + - Filesystem.user + - Filesystem.file_path + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml new file mode 100644 index 0000000000..d0d216fc5b --- /dev/null +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml @@ -0,0 +1,61 @@ +name: Windows Credentials from Password Stores Chrome Copied in TEMP Folder +id: 4d14c86d-fdee-4393-94da-238d2706902f +version: 1 +date: '2024-09-24' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 11 +type: TTP +status: production +description: The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access. +kind: endpoint +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("Local State", "Login Data") Filesystem.file_path = "*\\temp\\*" + by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_copied_in_temp_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: unknown +references: +- https://x.com/suyog41/status/1825869470323056748 +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + analytic_story: + - Braodo Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: Chrome Password Store File [$file_name] was copied in %temp% folder on [$dest$]. + mitre_attack_id: + - T1555.003 + - T1555 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Filesystem.dest + - Filesystem.file_create_time + - Filesystem.file_name + - Filesystem.user + - Filesystem.file_path + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml new file mode 100644 index 0000000000..89d4974ee1 --- /dev/null +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -0,0 +1,61 @@ +name: Windows Credentials from Web Browsers Saved in TEMP Folder +id: b36b23ea-763c-417b-bd4a-6a378dabad1a +version: 1 +date: '2024-09-24' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 11 +type: TTP +status: production +description: The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems. +kind: endpoint +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" + by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_web_browsers_saved_in_temp_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: unknown +references: +- https://x.com/suyog41/status/1825869470323056748 +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + analytic_story: + - Braodo Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A known credential file name - [$file_name$] was saved in %temp% folder of [$dest$]. + mitre_attack_id: + - T1555.003 + - T1555 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Filesystem.dest + - Filesystem.file_create_time + - Filesystem.file_name + - Filesystem.user + - Filesystem.file_path + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml new file mode 100644 index 0000000000..19df8b61da --- /dev/null +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -0,0 +1,76 @@ +name: Windows Disable or Stop Browser Process +id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 +version: 1 +date: '2024-09-24' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 1 +type: TTP +status: production +description: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise. +kind: endpoint +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe") + by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id + Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_disable_or_stop_browser_process_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: Admin or user may choose to terminate browser via taskkill.exe. Filter + as needed. +references: +- https://x.com/suyog41/status/1825869470323056748 +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + analytic_story: + - Braodo Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A process commandline- [$process$] that tries to kill browser on [$dest$]. + mitre_attack_id: + - T1562.001 + - T1562 + observable: + - name: user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process_name + - Processes.parent_process + - Processes.original_file_name + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_path + - Processes.process_path + - Processes.parent_process_id + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml new file mode 100644 index 0000000000..00908a969b --- /dev/null +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -0,0 +1,60 @@ +name: Windows Screen Capture in TEMP folder +id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c +version: 1 +date: '2024-09-24' +author: Teoderick Contreras, Splunk +data_sources: +- Sysmon Event ID 11 +type: TTP +status: production +description: The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised. +kind: endpoint +search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" + by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_screen_capture_in_temp_folder_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: unknown +references: +- https://x.com/suyog41/status/1825869470323056748 +- https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +tags: + analytic_story: + - Braodo Stealer + asset_type: Endpoint + confidence: 80 + impact: 80 + message: A screen capture named as $file_name$ was created on $dest$. + mitre_attack_id: + - T1113 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Filesystem.dest + - Filesystem.file_create_time + - Filesystem.file_name + - Filesystem.user + - Filesystem.file_path + risk_score: 64 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog From 380d18fee5b54ac7ec3f1f7b39f9b556e0fad5bb Mon Sep 17 00:00:00 2001 From: tccontre Date: Mon, 21 Oct 2024 08:11:53 +0200 Subject: [PATCH 3/7] braodo_stealer --- .../windows_archived_collected_data_in_temp_folder.yml | 9 +++++++++ ...from_password_stores_chrome_copied_in_temp_folder.yml | 9 +++++++++ ...redentials_from_web_browsers_saved_in_temp_folder.yml | 9 +++++++++ .../endpoint/windows_disable_or_stop_browser_process.yml | 9 +++++++++ .../endpoint/windows_screen_capture_in_temp_folder.yml | 9 +++++++++ 5 files changed, 45 insertions(+) diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index c1cb4c68b6..bd5f6b87c2 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -25,6 +25,15 @@ known_false_positives: unknown references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +drilldown_searches: +- name: View the detection results for $dest$ + search: '%original_detection_search% | search dest = $dest$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $dest$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Braodo Stealer diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml index d0d216fc5b..deaea7b647 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml @@ -25,6 +25,15 @@ known_false_positives: unknown references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +drilldown_searches: +- name: View the detection results for $dest$ + search: '%original_detection_search% | search dest = $dest$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $dest$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Braodo Stealer diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index 89d4974ee1..cf510f65d9 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -25,6 +25,15 @@ known_false_positives: unknown references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +drilldown_searches: +- name: View the detection results for $dest$ + search: '%original_detection_search% | search dest = $dest$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $dest$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Braodo Stealer diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 19df8b61da..f41db6b412 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -30,6 +30,15 @@ known_false_positives: Admin or user may choose to terminate browser via taskkil references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +drilldown_searches: +- name: View the detection results for $dest$ + search: '%original_detection_search% | search dest = $dest$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $dest$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Braodo Stealer diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index 00908a969b..1eb2a84396 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -25,6 +25,15 @@ known_false_positives: unknown references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d +drilldown_searches: +- name: View the detection results for $dest$ + search: '%original_detection_search% | search dest = $dest$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $dest$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Braodo Stealer From ad65bbca81446a3e655060f8fe2afbd73067bb6d Mon Sep 17 00:00:00 2001 From: tccontre Date: Mon, 21 Oct 2024 08:19:00 +0200 Subject: [PATCH 4/7] braodo_stealer --- ...als_from_password_stores_chrome_copied_in_temp_dir.yml} | 4 ++-- ...ntials_from_password_stores_chrome_extension_access.yml | 7 ++++++- ...tials_from_password_stores_chrome_localstate_access.yml | 7 ++++++- ...tials_from_password_stores_chrome_login_data_access.yml | 7 ++++++- 4 files changed, 20 insertions(+), 5 deletions(-) rename detections/endpoint/{windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml => windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml} (99%) diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml similarity index 99% rename from detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml rename to detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index deaea7b647..021801cb2d 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,4 +1,4 @@ -name: Windows Credentials from Password Stores Chrome Copied in TEMP Folder +name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f version: 1 date: '2024-09-24' @@ -15,7 +15,7 @@ search: '|tstats `security_content_summariesonly` count min(_time) as firstTime | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_credentials_from_password_stores_chrome_copied_in_temp_folder_filter`' + | `windows_credentials_from_password_stores_chrome_copied_in_temp_dir_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index d9a83ab345..dba6ed09c9 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -8,7 +8,12 @@ type: Anomaly data_source: - Windows Event Log Security 4663 description: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`' +search: '`wineventlog_security` EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_extension_access_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." known_false_positives: Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. references: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 91717a9408..76602204fb 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -8,7 +8,12 @@ type: Anomaly data_source: - Windows Event Log Security 4663 description: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' +search: '`wineventlog_security` EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." known_false_positives: Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. references: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index e7aa933b8b..773c6db7ec 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -8,7 +8,12 @@ type: Anomaly data_source: - Windows Event Log Security 4663 description: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment. -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' +search: '`wineventlog_security` EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." known_false_positives: Uninstall application may access this registry to remove the entry of the target application. filter is needed. references: From 8290df78c010163dd23f8b9a8905e8e783c01689 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 10:49:44 -0800 Subject: [PATCH 5/7] updating sourcetype --- detections/deprecated/detect_mimikatz_using_loaded_images.yml | 2 +- .../deprecated/windows_dll_search_order_hijacking_hunt.yml | 2 +- .../endpoint/windows_archived_collected_data_in_temp_folder.yml | 2 +- ...edentials_from_password_stores_chrome_copied_in_temp_dir.yml | 2 +- ...ndows_credentials_from_web_browsers_saved_in_temp_folder.yml | 2 +- detections/endpoint/windows_disable_or_stop_browser_process.yml | 2 +- detections/endpoint/windows_screen_capture_in_temp_folder.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml index 1e94d31911..82d0f52559 100644 --- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml +++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml @@ -69,4 +69,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml index 2deb97d3d1..659b65928e 100644 --- a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml +++ b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml @@ -79,5 +79,5 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog update_timestamp: true diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index bd5f6b87c2..05d8ece7a9 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/archived_in_temp_dir/braodo_zip_temp.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 021801cb2d..649e24aab9 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index cf510f65d9..ee4ab1a948 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.003/browser_credential_info_temp/braodo_browser_info.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index f41db6b412..006503df13 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -82,4 +82,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/taskkill_browser/braodo_taskkill.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index 1eb2a84396..2a4049959e 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -66,4 +66,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: XmlWinEventLog From 7d82434b22ea952d8d2e39c87aeef75db5f4604e Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 12:04:53 -0800 Subject: [PATCH 6/7] updating dd --- .../windows_archived_collected_data_in_temp_folder.yml | 8 ++++---- ...als_from_password_stores_chrome_copied_in_temp_dir.yml | 8 ++++---- ...credentials_from_web_browsers_saved_in_temp_folder.yml | 8 ++++---- .../endpoint/windows_disable_or_stop_browser_process.yml | 8 ++++---- .../endpoint/windows_screen_capture_in_temp_folder.yml | 8 ++++---- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index 05d8ece7a9..af205666ba 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -26,12 +26,12 @@ references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 649e24aab9..40283048ef 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -26,12 +26,12 @@ references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index ee4ab1a948..9acd29ea03 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -26,12 +26,12 @@ references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 006503df13..94cb2b137f 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -31,12 +31,12 @@ references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index 2a4049959e..b80f9db3c0 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -26,12 +26,12 @@ references: - https://x.com/suyog41/status/1825869470323056748 - https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d drilldown_searches: -- name: View the detection results for $dest$ - search: '%original_detection_search% | search dest = $dest$' +- name: View the detection results for "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for $dest$ - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($dest$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: From 7f6df6a32a7af86094530077469bb917704dfcbe Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 12:52:59 -0800 Subject: [PATCH 7/7] remove kind --- .../endpoint/windows_archived_collected_data_in_temp_folder.yml | 1 - ...redentials_from_password_stores_chrome_copied_in_temp_dir.yml | 1 - ...indows_credentials_from_web_browsers_saved_in_temp_folder.yml | 1 - detections/endpoint/windows_disable_or_stop_browser_process.yml | 1 - detections/endpoint/windows_screen_capture_in_temp_folder.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index af205666ba..3e1b07f39e 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration. The detection focuses on monitoring specific directories, such as temp folders, for the presence of newly created archive files (e.g., .zip, .rar, .tar). By identifying this pattern, security teams can quickly respond to potential data collection and exfiltration attempts, minimizing the risk of data breaches and improving overall threat detection. -kind: endpoint search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 40283048ef..fc1f0419c0 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details. The detection monitors for suspicious copying activity involving these specific Chrome files, particularly in temp directories where malware typically processes the stolen data. Identifying this behavior enables security teams to act quickly, preventing attackers from decrypting and exfiltrating sensitive browser credentials and mitigating the risk of unauthorized access. -kind: endpoint search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("Local State", "Login Data") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index 9acd29ea03..1c02d241f5 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration. This detection focuses on monitoring for the creation of files with patterns or formats commonly associated with stolen credentials. By identifying these activities, security teams can take needed action to prevent sensitive login data from being leaked, reducing the risk of unauthorized access to user accounts and systems. -kind: endpoint search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 94cb2b137f..865efdcd6b 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data. This detection focuses on identifying taskkill commands targeting these browsers, signaling malicious intent. Early detection allows security teams to investigate and prevent further credential theft and system compromise. -kind: endpoint search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index b80f9db3c0..cbdf0d19b7 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -8,7 +8,6 @@ data_sources: type: TTP status: production description: The following analytic detects the creation of screen capture files by the Braodo stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders. Monitoring for these files helps to quickly identify malicious screen capture attempts, allowing security teams to respond and mitigate potential information exposure before sensitive data is compromised. -kind: endpoint search: '|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time