Merge branch 'develop' into gitlab_release_v4.26.0

splunk · Mar 6, 2024 · 87e92f7 · 87e92f7
2 parents 06f46b1 + 9be2e2f
commit 87e92f7
Show file tree

Hide file tree

Showing 4 changed files with 194 additions and 133 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,4 +1,4 @@
 [submodule "contentctl"]
 	path = contentctl
 	url = https://github.com/splunk/contentctl.git
-        ignore = all
+	ignore = all
diff --git a/dist/DA-ESS-ContentUpdate/default/analyticstories.conf b/dist/DA-ESS-ContentUpdate/default/analyticstories.conf
@@ -18428,6 +18428,17 @@ searches = ["ESCU - Windows Service Created with Suspicious Service Path - Rule"
 description = The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.
 narrative = The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia's Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB's ultimate targets. Snake's custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We consider Snake to be the most sophisticated cyber espionage tool in the FSB's arsenal. The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake's internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity. (CISA, 2023)
 
+[analytic_story://Snake Keylogger]
+category = Adversary Tactics
+last_updated = 2024-02-12
+version = 1
+references = ["https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"]
+maintainers = [{"company": "Splunk", "email": "-", "name": "Teoderick Contreras"}]
+spec_version = 3
+searches = ["ESCU - Detect Regasm Spawning a Process - Rule", "ESCU - Download Files Using Telegram - Rule", "ESCU - Executables Or Script Creation In Suspicious Path - Rule", "ESCU - High Process Termination Frequency - Rule", "ESCU - Non Chrome Process Accessing Chrome Default Dir - Rule", "ESCU - Non Firefox Process Access Firefox Profile Dir - Rule", "ESCU - Processes launching netsh - Rule", "ESCU - Registry Keys Used For Persistence - Rule", "ESCU - Suspicious Driver Loaded Path - Rule", "ESCU - Suspicious Process DNS Query Known Abuse Web Services - Rule", "ESCU - Suspicious Process Executed From Container File - Rule", "ESCU - Windows Credentials from Password Stores Chrome LocalState Access - Rule", "ESCU - Windows Credentials from Password Stores Chrome Login Data Access - Rule", "ESCU - Windows File Transfer Protocol In Non-Common Process Path - Rule", "ESCU - Windows Gather Victim Network Info Through Ip Check Web Services - Rule", "ESCU - Windows Non Discord App Access Discord LevelDB - Rule", "ESCU - Windows Phishing PDF File Executes URL Link - Rule", "ESCU - Windows System Network Connections Discovery Netsh - Rule", "ESCU - Windows Time Based Evasion via Choice Exec - Rule", "ESCU - Windows Unsecured Outlook Credentials Access In Registry - Rule", "ESCU - Windows User Execution Malicious URL Shortcut File - Rule"]
+description = SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.
+narrative = SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.
+
 [analytic_story://Sneaky Active Directory Persistence Tricks]
 category = Adversary Tactics
 last_updated = 2022-08-29