splunk · patel-bhavin · Nov 20, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
@@ -76,7 +76,7 @@ tags:
   - Authentication.user
   - Authentication.src
   security_domain: access
-  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detection.
 tests:
 - name: True Positive Test
   attack_data:

@@ -1,6 +1,6 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 3
+version: 4
 date: '2024-10-17'
 author: Dean Luxton
 status: production
@@ -41,7 +41,7 @@ how_to_implement: >-
   Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. 
   Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
 
-  This search opporates best on a 5 minute schedule, looking back over the past 70 minutes. 
+  This search operates best on a 5 minute schedule, looking back over the past 70 minutes. 
   Configure 70 minute throttling on the two fields _time and counter. 
 known_false_positives: Unknown
 references:

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2024-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -17,6 +17,8 @@ references:
 - https://github.com/redcanaryco/AtomicTestHarnesses
 - https://redcanary.com/blog/introducing-atomictestharnesses/
 - https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing
+- https://denwp.com/dissecting-lumma-malware/
+- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
 drilldown_searches:
 - name: View the detection results for - "$user$" and "$dest$"
   search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
@@ -30,6 +32,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 100
   impact: 80

@@ -1,6 +1,6 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 10
+version: 11
 date: '2024-10-17'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
@@ -32,10 +32,11 @@ tags:
   - Sandworm Tools
   - Data Destruction
   - Volt Typhoon
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 70
-  message: Powershell.exe running potentially malicious encodede commands on $dest$
+  message: Powershell.exe running potentially malicious encoded commands on $dest$
   mitre_attack_id:
   - T1027
   observable:

@@ -1,6 +1,6 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 6
+version: 7
 date: '2024-10-17'
 author: Michael Haag, Splunk
 status: production
@@ -32,6 +32,7 @@ tags:
   - Data Destruction
   - CISA AA24-241A
   - Braodo Stealer
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 100
   impact: 80

@@ -1,6 +1,6 @@
 name: Suspicious mshta child process
 id: 60023bb6-5500-11eb-ae93-0242ac130002
-version: 4
+version: 5
 date: '2024-09-30'
 author: Michael Haag, Splunk
 status: production
@@ -29,6 +29,7 @@ tags:
   analytic_story:
   - Suspicious MSHTA Activity
   - Living Off The Land
+  - Lumma Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 50

@@ -0,0 +1,64 @@
+name: Windows BitLockerToGo Process Execution
+id: 68cbc9e9-2882-46f2-b636-3b5080589d58
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+data_sources:
+- Sysmon Event ID 1
+- Windows Event Log Security 4688
+type: Hunting
+status: production
+description: The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitlockertogo.exe by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_process_execution_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, monitor for usage of BitLockerToGo.exe in your environment, tune as needed. If BitLockerToGo.exe is not used in your environment, move to TTP.
+references:
+- https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Lumma Stealer 
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: BitLockerToGo.exe was executed on $dest$ by $user$.
+  mitre_attack_id:
+  - T1218
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  - name: user
+    type: User Name
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - Processes.process_name
+  - Processes.dest
+  - Processes.user
+  - Processes.parent_process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  risk_score: 70
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,62 @@
+name: Windows BitLockerToGo with Network Activity
+id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
+version: 1
+date: '2024-11-13'
+author: Michael Haag, Nasreddine Bencherchali, Splunk
+data_sources:
+- Sysmon Event ID 22
+type: Hunting
+status: production
+description: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.
+search: '`sysmon` EventCode=22 process_name="bitlockertogo.exe" | stats count min(_time) as firstTime max(_time) as lastTime values(query) as query values(answer) as answer values(QueryResults) as query_results values(QueryStatus) as query_status by process_name process_guid Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bitlockertogo_with_network_activity_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. 
+known_false_positives: False positives are likely, as BitLockerToGo.exe is a legitimate Windows utility used for managing BitLocker encryption. However, the detection is designed to flag unusual execution patterns that deviate from standard usage. Filtering may be required to reduce false positives, once confirmed - move to TTP.
+references:
+- https://any.run/report/5e9ba24639f70787e56f10a241271ae819ef9c573edb22b9eeade7cb40a2df2a/66f16c7b-2cfc-40c5-91cc-f1cbe9743fa3
+- https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Lumma Stealer
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: BitLockerToGo.exe was executed with network activity on $dest$.
+  mitre_attack_id:
+  - T1218
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - process_name
+  - process_guid
+  - Computer
+  - query
+  - answer
+  - QueryResults
+  - QueryStatus
+  - dest
+  risk_score: 70
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,72 @@
+name: Windows RunMRU Command Execution
+id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
+version: 1
+date: '2024-11-08'
+author: Nasreddine Bencherchali, Michael Haag, Splunk
+data_sources:
+- Sysmon Event ID 11
+- Sysmon Event ID 13
+type: Anomaly
+status: production
+description: The following analytic detects modifications to the Windows RunMRU registry key, which stores a history of commands executed through the Run dialog box (Windows+R). It leverages Endpoint Detection and Response (EDR) telemetry to monitor registry events targeting this key. This activity is significant as malware often uses the Run dialog to execute malicious commands while attempting to appear legitimate. If confirmed malicious, this could indicate an attacker using indirect command execution techniques for defense evasion or persistence. The detection excludes MRUList value changes to focus on actual command entries.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" NOT Registry.registry_key_name="*\\MRUList" by Registry.dest Registry.registry_value_data Registry.action  Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_command_execution_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: This detection may generate a few false positives, such as legitimate software updates or legitimate system maintenance activities that modify the RunMRU key. However, the exclusion of MRUList value changes helps reduce the number of false positives by focusing only on actual command entries. Add any specific false positives to the built in filter to reduce notables as needed.
+references:
+- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
+- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
+- https://www.forensafe.com/blogs/runmrukey.html
+- https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Lumma Stealer
+  asset_type: Endpoint
+  confidence: 60
+  impact: 80
+  message: An instance of $registry_value_data$ was identified on endpoint $dest$ by user $user$ attempting to execute a command through the Run dialog box.
+  mitre_attack_id:
+  - T1202
+  observable:
+  - name: registry_value_data
+    type: Registry Value
+    role:
+    - Attacker
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User Name
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Registry.dest
+  - Registry.registry_value_data 
+  - Registry.action
+  - Registry.process_guid
+  - Registry.process_id
+  - Registry.registry_key_name
+  - Registry.user
+  risk_score: 80
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog