Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto_campaign #3240

Open
wants to merge 30 commits into
base: develop
Choose a base branch
from
Open

crypto_campaign #3240

wants to merge 30 commits into from

Conversation

tccontre
Copy link
Contributor

@tccontre tccontre commented Dec 13, 2024
edited
Loading

New Detection

  • windows_powershell_logoff_user_via_quser.yml
  • windows_obfuscated_files_or_information_via_rar_sfx.yml
  • windows_remote_management_execute_shell.yml
  • windows_file_and_directory_permissions_enable_inheritance.yml
  • windows_file_and_directory_permissions_remove_inheritance.yml
  • windows_account_access_removal_via_powershell_initiate_logoff.yml
  • windows_bidirectional_communication_via_telegram_bot.yml
  • windows_file_and_directory_enable_readonly_permissions.yml

updated

  • icacls_grant_command.yml
  • executables_or_script_creation_in_suspicious_path.yml
  • suspicious_process_file_path.yml

tagged

  • add_or_set_windows_defender_exclusion.yml
  • any_powershell_downloadfile.yml
  • attempt_to_stop_security_service.yml
  • chcp_command_execution.yml
  • cmd_carry_out_string_command_parameter.yml
  • detect_password_spray_attack_behavior_on_user.yml
  • detect_rare_executables.yml
  • download_files_using_telegram.yml
  • excessive_service_stop_attempt.yml
  • excessive_usage_of_cacls_app.yml
  • excessive_usage_of_sc_service_utility.yml
  • excessive_usage_of_taskkill.yml
  • hiding_files_and_directories_with_attrib_exe.yml
  • high_process_termination_frequency.yml
  • icacls_deny_command.yml
  • malicious_powershell_process___encoded_command.yml
  • modify_acl_permission_to_files_or_folder.yml
  • permission_modification_using_takeown_app.yml
  • sc_exe_manipulating_windows_services.yml
  • suspicious_scheduled_task_from_public_directory.yml
  • windows_account_access_removal_via_quser_logoff.yml
  • windows_autoit3_execution.yml
  • windows_boot_or_logon_autostart_execution_in_startup_folder.yml
  • windows_disable_or_modify_tools_via_taskkill.yml
  • windows_obfuscated_files_or_information_via_rar_sfx.yml
  • windows_remote_management_execute_shell.yml
  • windows_screen_capture_in_temp_folder.yml
  • windows_service_created_with_suspicious_service_path.yml
  • windows_service_creation_using_registry_entry.yml
  • windows_service_deletion_in_registry.yml
  • windows_service_stop_by_deletion.yml
  • windows_service_stop_via_net__and_sc_application.yml
  • windows_system_file_on_disk.yml
  • windows_system_user_discovery_via_quser.yml
  • xmrig_driver_loaded.yml

story

    new file:   stories/crypto_stealer.yml

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

@tccontre tccontre added the WIP DO NOT MERGE Work in Progress label Dec 13, 2024
@tccontre tccontre self-assigned this Dec 13, 2024
@tccontre tccontre removed the WIP DO NOT MERGE Work in Progress label Jan 7, 2025
nasbench
nasbench requested changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple more changes before we can merge this.

detections/endpoint/windows_account_access_removal_via_powershell_initiate_logoff.yml Outdated Show resolved Hide resolved
detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml Outdated Show resolved Hide resolved
detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml Outdated Show resolved Hide resolved
detections/endpoint/windows_bidirectional_communication_via_telegram_bot.yml Outdated
Comment on lines 12 to 17
search: '`sysmon` EventCode=22 query = "api.telegram.org"
| stats count min(_time) as firstTime max(_time) as lastTime by query answer QueryResults QueryStatus process_name process_guid Computer
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_bidirectional_communication_via_telegram_bot_filter`'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be confirmed but I believe The logic needs to exclude the telegram binary on windows because it communicates with the API itself.
I don't know if there is a direct link from the web but excluding browsers is will also avoid FPs

detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
description: The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.
kind: endpoint
search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a specific reason we only focus on these groups for read only? I think any file being set to read only is interesting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench requested changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@tccontre tccontre

Labels
Detections Stories
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tccontre @nasbench @patel-bhavin