From e7ec6e384c61cfcc8f28a7ce27605fd69a6730fd Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Sep 2024 01:31:15 +0530 Subject: [PATCH 1/4] updating from eri's comments --- ...ows_impair_defenses_disable_av_autostart_via_registry.yml | 2 +- .../endpoint/windows_modify_registry_utilize_progids.yml | 4 ++-- .../endpoint/windows_modify_registry_valleyrat_c2_config.yml | 5 ++--- ...aded.yml => windows_scheduled_task_dll_module_loaded.yml} | 4 ++-- ...ows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml} | 2 +- 5 files changed, 8 insertions(+), 9 deletions(-) rename detections/endpoint/{windows_schedule_task_dll_module_loaded.yml => windows_scheduled_task_dll_module_loaded.yml} (96%) rename detections/endpoint/{windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml => windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml} (97%) diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 061bbf8ad5..04fff8927f 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -24,7 +24,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint | `windows_impair_defenses_disable_av_autostart_via_registry_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index 3f6ac59418..6982e3d7a6 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -7,7 +7,7 @@ data_sources: - Sysmon Event ID 13 type: Anomaly status: production -description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypassed User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to a targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. +description: The following analytic detects modifications to the Windows Registry specifically targeting Programmatic Identifier associations to bypass User Account Control (UAC) Windows OS feature. ValleyRAT may create or alter registry entries to targetted progIDs like `.pwn` files with malicious processes, allowing it to execute harmful scripts or commands when these files are opened. By monitoring for unusual changes in registry keys linked to ProgIDs, this detection enables security analysts to identify potential threats like ValleyRAT execution attempts. Early detection of these modifications helps mitigate unauthorized execution and prevents further exploitation of the system. search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\ms-settings\\CurVer\\(Default)" BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid @@ -17,7 +17,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint | `windows_modify_registry_utilize_progids_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index b6b46bc824..928879b709 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -8,8 +8,7 @@ data_sources: - Sysmon EventID 13 type: TTP status: production -description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, - it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. +description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s @@ -23,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint | `windows_modify_registry_valleyrat_c2_config_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your - endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical + endpoints. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709 known_false_positives: unknown references: diff --git a/detections/endpoint/windows_schedule_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml similarity index 96% rename from detections/endpoint/windows_schedule_task_dll_module_loaded.yml rename to detections/endpoint/windows_scheduled_task_dll_module_loaded.yml index 1fb56b4337..6167259855 100644 --- a/detections/endpoint/windows_schedule_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml @@ -1,4 +1,4 @@ -name: Windows Schedule Task DLL Module Loaded +name: Windows Scheduled Task DLL Module Loaded id: bc5b2304-f241-419b-874a-e927f667b7b6 version: 1 date: '2024-09-11' @@ -19,7 +19,7 @@ search: '`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\tem | stats min(_time) as firstTime max(_time) as lastTime count by user_id, dest, Image ,ImageLoaded, , OriginalFileName, ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_schedule_task_dll_module_loaded_filter`' + | `windows_scheduled_task_dll_module_loaded_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. diff --git a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml similarity index 97% rename from detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml rename to detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml index 2760c374fc..20ee3fd912 100644 --- a/detections/endpoint/windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -1,4 +1,4 @@ -name: Windows Schedule Tasks for CompMgmtLauncher or Eventvwr +name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr id: feb43b86-8c38-46cd-865e-20ce8a96c26c version: 1 date: '2024-09-11' From cbeadd54c554597723cccd46e57bcad67c801eb6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Sep 2024 01:32:19 +0530 Subject: [PATCH 2/4] message --- .../endpoint/windows_modify_registry_valleyrat_c2_config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index 928879b709..e2bf4aef77 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -8,7 +8,7 @@ data_sources: - Sysmon EventID 13 type: TTP status: production -description: The following analytic detects modifications to registry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. +description: The following analytic detects modifications to theregistry related to ValleyRAT C2 configuration. Specifically, it monitors changes in registry keys where ValleyRAT saves the IP address and port information of its command-and-control (C2) server. This activity is a key indicator of ValleyRAT attempting to establish persistent communication with its C2 infrastructure. By identifying these unauthorized registry modifications, security analysts can quickly detect malicious configurations and investigate the associated threats. Early detection of these changes helps prevent further exploitation and limits the malware’s @@ -34,7 +34,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: A possible ValleyRAT Registry modification in [$dest$]. + message: A registry modification related to ValleyRAT on [$dest$] mitre_attack_id: - T1112 observable: From 1b434a1d432e0661421b5390cdf959be9a371a23 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Sep 2024 01:35:22 +0530 Subject: [PATCH 3/4] updating macro --- ...windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml index 20ee3fd912..0c2d598cd0 100644 --- a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -14,7 +14,7 @@ search: '`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C: | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml TaskContent TaskName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_schedule_tasks_for_compmgmtlauncher_or_eventvwr_filter`' + | `windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA as well as the URL ToolBox application are also required. From 9af668ca8b6dc0d2bea4cb39a4b74792f71204d7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Sep 2024 01:42:44 +0530 Subject: [PATCH 4/4] update app insepct --- .github/workflows/appinspect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 5762339fbf..4d027af9a1 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -29,7 +29,7 @@ jobs: APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}" run: | echo $APPINSPECTUSERNAME - contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments + contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation echo "done appinspect" mkdir -p artifacts/app_inspect_report cp -r dist/*.html artifacts/app_inspect_report