Merge pull request #3137 from splunk/valleyrat

Valleyrat fixes!
splunk · Sep 25, 2024 · 2e0a7c5 · 2e0a7c5
2 parents 693e8eb + ec168c8
commit 2e0a7c5
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 11 deletions.
diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml
@@ -24,7 +24,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint
   | `windows_impair_defenses_disable_av_autostart_via_registry_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:

diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml
@@ -7,7 +7,7 @@ data_sources:
 - Sysmon Event ID 13
 type: Anomaly
 status: production
-description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
+description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system.
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)"
   BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
@@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint
   | `windows_modify_registry_utilize_progids_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:

diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
@@ -8,8 +8,7 @@ data_sources:
 - Sysmon EventID 13
 type: TTP
 status: production
-description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, 
-  it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. 
+description: The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically,  it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. 
   This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. 
   By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and 
   investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s 
@@ -23,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint
   | `windows_modify_registry_valleyrat_c2_config_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
-  endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
 known_false_positives: unknown
 references:
@@ -35,7 +34,7 @@ tags:
   asset_type: Endpoint
   confidence: 100
   impact: 90
-  message: A possible ValleyRAT Registry modification in [$dest$].
+  message: A registry modification related to ValleyRAT on [$dest$]
   mitre_attack_id:
   - T1112
   observable:

diff --git a/...ndows_schedule_task_dll_module_loaded.yml → ...dows_scheduled_task_dll_module_loaded.yml b/...ndows_schedule_task_dll_module_loaded.yml → ...dows_scheduled_task_dll_module_loaded.yml
@@ -1,4 +1,4 @@
-name: Windows Schedule Task DLL Module Loaded
+name: Windows Scheduled Task DLL Module Loaded
 id: bc5b2304-f241-419b-874a-e927f667b7b6
 version: 1
 date: '2024-09-11'
@@ -19,7 +19,7 @@ search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\tem
   | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `windows_schedule_task_dll_module_loaded_filter`'
+  | `windows_scheduled_task_dll_module_loaded_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name and imageloaded executions from your endpoints. If you
   are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

diff --git a/...asks_for_compmgmtlauncher_or_eventvwr.yml → ...asks_for_compmgmtlauncher_or_eventvwr.yml b/...asks_for_compmgmtlauncher_or_eventvwr.yml → ...asks_for_compmgmtlauncher_or_eventvwr.yml
@@ -1,4 +1,4 @@
-name: Windows Schedule Tasks for CompMgmtLauncher or Eventvwr
+name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
 id: feb43b86-8c38-46cd-865e-20ce8a96c26c
 version: 1
 date: '2024-09-11'
@@ -14,7 +14,7 @@ search: '`wineventlog_security` EventCode=4698 TaskContent = "*&lt;Command&gt;C:
   | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml TaskContent TaskName 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr_filter`'
+  | `windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well
   as the URL ToolBox application are also required.