Haaglumination

detections/endpoint/windows_runmru_command_execution.yml

@@ -0,0 +1,63 @@
+name: Windows RunMRU Command Execution
+id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
+version: 1
+date: '2024-11-08'
+author: Nasreddine Bencherchali, Michael Haag, Splunk
+data_sources:
+- Sysmon Event ID 11
+- Sysmon Event ID 13
+type: Anomaly
+status: production
+description: The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" NOT Registry.registry_key_name="*\\MRUList" by Registry.dest Registry.registry_value_data Registry.action  Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: This detection may generate a few false positives, such as legitimate software updates or legitimate system maintenance activities that modify the RunMRU key. However, the exclusion of MRUList value changes helps reduce the number of false positives by focusing only on actual command entries. Add any specific false positives to the built in filter to reduce notables as needed.
+references:
+- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
+- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+- https://www.forensafe.com/blogs/runmrukey.html
+- https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml
+tags:
+  analytic_story:
+  - Lumma Stealer
+  asset_type: Endpoint
+  confidence: 60
+  impact: 80
+  message: An instance of $registry_value_data$ was identified on endpoint $dest$ by user $user$ attempting to execute a command through the Run dialog box.
+  mitre_attack_id:
+  - T1202
+  observable:
+  - name: registry_value_data
+    type: Registry Value
+    role:
+    - Attacker
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User Name
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Registry.dest
+  - Registry.registry_value_data 
+  - Registry.action
+  - Registry.process_guid
+  - Registry.process_id
+  - Registry.registry_key_name
+  - Registry.user
+  risk_score: 80
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

stories/lumma_stealer.yml

@@ -0,0 +1,30 @@
+name: Lumma Stealer
+id: 6c8f76f6-1272-4c0e-afbd-5a9f58947fa5
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+description: Lumma Stealer is a sophisticated information-stealing malware that has been operating as a Malware-as-a-Service (MaaS) platform since 2022. Recent campaigns in 2024 have shown increased sophistication in distribution methods, particularly through fake CAPTCHA verification pages, cracked game downloads, and phishing emails targeting GitHub users. The malware is designed to steal sensitive information including browser credentials, cryptocurrency wallet data, and password manager archives.
+narrative: As of late 2024, Lumma Stealer has emerged as one of the most prominent information stealers in the threat landscape, employing increasingly sophisticated distribution techniques. The malware's primary infection vector involves a deceptive CAPTCHA campaign where attackers create convincing phishing sites featuring fake Google CAPTCHA verification pages. When users interact with these pages by clicking "I'm not a robot," malicious code is automatically copied to their clipboard. Users are then socially engineered to paste this code into the Windows Run dialog (Win+R), triggering PowerShell commands that download and execute the Lumma Stealer payload. /
+
+    The malware's distribution infrastructure is highly sophisticated, leveraging various hosting platforms including Amazon S3 buckets and Content Delivery Networks (CDNs). To evade detection, the operators employ multiple obfuscation techniques, including base64 encoding and clipboard manipulation. The malware is frequently distributed through malvertising campaigns on adult sites, file-sharing services, betting platforms, and anime websites. /
+
+    Recent intelligence has revealed several concerning developments in Lumma Stealer's operations. The malware has been observed working in conjunction with other threat families, notably the Amadey botnet, expanding its reach and capabilities. Its geographic targeting has broadened, with significant activity reported in Brazil, Spain, Italy, and Russia. The threat actors behind Lumma have also demonstrated increased prowess in social engineering, making it one of the top-ranked malware threats in recent global threat indexes. /
+
+    Effective detection strategies should focus on monitoring PowerShell execution patterns, suspicious Run dialog usage, and unauthorized access attempts to credential stores and cryptocurrency wallets. Organizations should implement comprehensive monitoring of these attack vectors to detect and respond to Lumma Stealer campaigns effectively.
+references:
+    - https://www.cloudsek.com/blog/lumma-stealer-malware-analysis
+    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+    - https://www.kaspersky.com/blog/lumma-stealer-captcha-scam/49454/
+    - https://www.bleepingcomputer.com/news/security/fake-captcha-pages-push-dangerous-lumma-stealer-malware/
+    - https://www.trendmicro.com/en_us/research/24/a/lumma-stealer-distributed-via-fake-captcha.html
+    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
+    - https://www.forensafe.com/blogs/runmrukey.html
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []