-
Notifications
You must be signed in to change notification settings - Fork 446
Expand file tree
/
Copy pathpermission_modification_using_takeown_app.yml
More file actions
82 lines (82 loc) · 4.03 KB
/
permission_modification_using_takeown_app.yml
File metadata and controls
82 lines (82 loc) · 4.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Permission Modification using Takeown App
id: fa7ca5c6-c9d8-11eb-bce9-acde48001122
version: 5
date: '2025-01-27'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects the modification of file or directory
permissions using the takeown.exe Windows application. It leverages data from Endpoint
Detection and Response (EDR) agents, focusing on process execution logs that include
process GUID, process name, and command-line details. This activity is significant
because it is a common technique used by ransomware to take ownership of files or
folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized
access, data encryption, or data destruction, severely impacting the integrity and
availability of critical data.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe"
Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process
Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id
Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `permission_modification_using_takeown_app_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: takeown.exe is a normal windows application that may used by
network operator.
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A suspicious of execution of $process_name$ with process id $process_id$
and commandline $process$ to modify permission of directory or files in host $dest$
risk_objects:
- field: dest
type: system
score: 30
threat_objects:
- field: process_name
type: process_name
tags:
analytic_story:
- Sandworm Tools
- Ransomware
- Crypto Stealer
asset_type: Endpoint
mitre_attack_id:
- T1222
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ransomware_ttp/data1/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog