Skip to content

Commit 1cb141a

Browse files
t-contrerast-contreras
committed
secret_blizzard
1 parent 6433b52 commit 1cb141a

6 files changed

+374
-0
lines changed

detections/endpoint/windows_certutil_certificate_addition_in_temp_path.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: Windows Certutil Certificate Addition in Temp Path
2+
id: 9184637d-c49b-45b3-a21d-0f9ed72bd74d
3+
version: 1
4+
date: '2025-08-06'
5+
author: Teoderick Contreras, Splunk
6+
status: production
7+
type: TTP
8+
description: The following analytic detects the use of certutil.exe to add a certificate to a Windows certificate store (-addstore), where the certificate file is located in a temporary directory such as %TEMP% or %APPDATA%. This behavior is unusual in legitimate scenarios and may indicate an attacker is attempting to install a malicious or rogue certificate, often as part of TLS interception, credential theft, or privilege escalation. Temporary file paths and the use of certutil—a dual-use tool—are common in post-compromise activities. Monitoring for this pattern helps identify attempts to manipulate trust settings or persist within a compromised environment.
9+
data_source:
10+
- Sysmon EventID 1
11+
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
12+
as process max(_time) as lastTime from datamodel=Endpoint.Processes
13+
where `process_certutil` Processes.process=*-addstore* Processes.process = "*\\Temp\\*"
14+
by Processes.action Processes.dest Processes.original_file_name
15+
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
16+
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
17+
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
18+
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
19+
Processes.user Processes.user_id Processes.vendor_product
20+
| `drop_dm_object_name("Processes")`
21+
| `security_content_ctime(firstTime)`
22+
|`security_content_ctime(lastTime)`
23+
| `windows_certutil_certificate_addition_in_temp_path_filter`'
24+
how_to_implement: The detection is based on data that originates from Endpoint Detection
25+
and Response (EDR) agents. These agents are designed to provide security-related
26+
telemetry from the endpoints where the agent is installed. To implement this search,
27+
you must ingest logs that contain the process GUID, process name, and parent process.
28+
Additionally, you must ingest complete command-line executions. These logs must
29+
be processed using the appropriate Splunk Technology Add-ons that are specific to
30+
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
31+
data model. Use the Splunk Common Information Model (CIM) to normalize the field
32+
names and speed up the data modeling process.
33+
known_false_positives: administrator may use certutil to add a root certificate to the store.
34+
Filter as needed or restrict to critical assets on the perimeter.
35+
references:
36+
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
37+
drilldown_searches:
38+
- name: View the detection results for - "$dest$"
39+
search: '%original_detection_search% | search dest = "$dest$"'
40+
earliest_offset: $info_min_time$
41+
latest_offset: $info_max_time$
42+
- name: View risk events for the last 7 days for - "$dest$"
43+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
44+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
45+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
46+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
47+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
48+
| `security_content_ctime(lastTime)`'
49+
earliest_offset: $info_min_time$
50+
latest_offset: $info_max_time$
51+
rba:
52+
message: A certificate was added to a Windows certificate store from a temporary path by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.
53+
risk_objects:
54+
- field: dest
55+
type: system
56+
score: 50
57+
threat_objects:
58+
- field: parent_process_name
59+
type: parent_process_name
60+
tags:
61+
analytic_story:
62+
- Secret Blizzard
63+
asset_type: Endpoint
64+
mitre_attack_id:
65+
- T1587.003
66+
product:
67+
- Splunk Enterprise
68+
- Splunk Enterprise Security
69+
- Splunk Cloud
70+
security_domain: endpoint
71+
tests:
72+
- name: True Positive Test
73+
attack_data:
74+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
75+
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
76+
sourcetype: XmlWinEventLog

detections/endpoint/windows_certutil_root_certificate_addition.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: Windows Certutil Root Certificate Addition
2+
id: e9926391-ec0c-4bad-8a95-e450dbf6aae4
3+
version: 1
4+
date: '2025-08-06'
5+
author: Teoderick Contreras, Splunk
6+
status: production
7+
type: Anomaly
8+
description: The following analytic detects the use of certutil.exe to add a certificate to the Root certificate store using the -addstore root command. In this case, the certificate is loaded from a temporary file path (e.g., %TEMP%), which is highly suspicious and uncommon in legitimate administrative activity. This behavior may indicate an adversary is installing a malicious root certificate to intercept HTTPS traffic, impersonate trusted entities, or bypass security controls. The use of flags such as -f (force) and -Enterprise, combined with loading .tmp files from user-writable locations, is consistent with post-exploitation activity seen in credential theft and adversary-in-the-middle (AiTM) attacks. This should be investigated immediately, especially if correlated with unauthorized privilege use or prior certificate modifications.
9+
data_source:
10+
- Sysmon EventID 1
11+
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
12+
as process max(_time) as lastTime from datamodel=Endpoint.Processes
13+
where `process_certutil` Processes.process=*-addstore* Processes.process=*root*
14+
by Processes.action Processes.dest Processes.original_file_name
15+
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
16+
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
17+
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
18+
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
19+
Processes.user Processes.user_id Processes.vendor_product
20+
| `drop_dm_object_name("Processes")`
21+
| `security_content_ctime(firstTime)`
22+
|`security_content_ctime(lastTime)`
23+
| `windows_certutil_root_certificate_addition_filter`'
24+
how_to_implement: The detection is based on data that originates from Endpoint Detection
25+
and Response (EDR) agents. These agents are designed to provide security-related
26+
telemetry from the endpoints where the agent is installed. To implement this search,
27+
you must ingest logs that contain the process GUID, process name, and parent process.
28+
Additionally, you must ingest complete command-line executions. These logs must
29+
be processed using the appropriate Splunk Technology Add-ons that are specific to
30+
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
31+
data model. Use the Splunk Common Information Model (CIM) to normalize the field
32+
names and speed up the data modeling process.
33+
known_false_positives: administrator may use certutil to add a root certificate to the store.
34+
Filter as needed or restrict to critical assets on the perimeter.
35+
references:
36+
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
37+
drilldown_searches:
38+
- name: View the detection results for - "$dest$"
39+
search: '%original_detection_search% | search dest = "$dest$"'
40+
earliest_offset: $info_min_time$
41+
latest_offset: $info_max_time$
42+
- name: View risk events for the last 7 days for - "$dest$"
43+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
44+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
45+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
46+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
47+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
48+
| `security_content_ctime(lastTime)`'
49+
earliest_offset: $info_min_time$
50+
latest_offset: $info_max_time$
51+
rba:
52+
message: A certificate was added to the Root certificate store by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.
53+
risk_objects:
54+
- field: dest
55+
type: system
56+
score: 40
57+
threat_objects:
58+
- field: parent_process_name
59+
type: parent_process_name
60+
tags:
61+
analytic_story:
62+
- Secret Blizzard
63+
asset_type: Endpoint
64+
mitre_attack_id:
65+
- T1587.003
66+
product:
67+
- Splunk Enterprise
68+
- Splunk Enterprise Security
69+
- Splunk Cloud
70+
security_domain: endpoint
71+
tests:
72+
- name: True Positive Test
73+
attack_data:
74+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log
75+
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
76+
sourcetype: XmlWinEventLog

detections/endpoint/windows_firewallapi_dll_load_from_temp.yml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
name: Windows FirewallAPI DLL Load from Temp
2+
id: e4cfb996-5fb6-4bcb-93cf-3d42f7cec44c
3+
version: 1
4+
date: '2025-08-06'
5+
author: Teoderick Contreras, Splunk
6+
status: production
7+
type: TTP
8+
description: The following analytic detects suspicious process behavior where firewallapi.dll—a legitimate Windows library responsible for interacting with the Windows Firewall—is loaded from a temporary directory. This is highly atypical, as firewallapi.dll is normally loaded from trusted system locations such as C:\Windows\System32. Loading it from an alternate or user-writable path may indicate DLL search order hijacking, sideloading, or masquerading, techniques commonly used by adversaries to execute code with elevated privileges or bypass security controls. This behavior should be treated as potentially malicious, particularly when observed in conjunction with unsigned binaries, unexpected parent processes, or indicators of privilege escalation and persistence.
9+
data_source:
10+
- Sysmon EventID 7
11+
search: '`sysmon` EventCode=7 ImageLoaded = "*\\temp\\FirewallAPI.dll"
12+
| fillnull
13+
| stats count min(_time) as firstTime max(_time) as lastTime
14+
by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
15+
process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists
16+
service_dll_signature_verified signature signature_id user_id vendor_product
17+
| `security_content_ctime(firstTime)`
18+
| `security_content_ctime(lastTime)`
19+
| `windows_firewallapi_dll_load_from_temp_filter`'
20+
how_to_implement: To successfully implement this search, you need to be ingesting
21+
logs with the process name and imageloaded executions from your endpoints. If you
22+
are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
23+
known_false_positives: Legitimate windows application that are not on the list loading
24+
this dll. Filter as needed.
25+
references:
26+
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
27+
drilldown_searches:
28+
- name: View the detection results for - "$__UPDATE__FIRST_RISK_OBJECT$" and "$__UPDATE__SECOND_RISK_OBJECT$"
29+
search: '%original_detection_search% | search "$__UPDATE__FIRST_RISK_OBJECT = "$__UPDATE__FIRST_RISK_OBJECT$"
30+
second_observable_type_here = "$__UPDATE__SECOND_RISK_OBJECT$"'
31+
earliest_offset: $info_min_time$
32+
latest_offset: $info_max_time$
33+
- name: View the detection results for - "$dest$"
34+
search: '%original_detection_search% | search dest = "$dest$"'
35+
earliest_offset: $info_min_time$
36+
latest_offset: $info_max_time$
37+
- name: View risk events for the last 7 days for - "$dest$"
38+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
39+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
40+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
41+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
42+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
43+
| `security_content_ctime(lastTime)`'
44+
earliest_offset: $info_min_time$
45+
latest_offset: $info_max_time$
46+
rba:
47+
message: FirewallAPI.dll loaded from a temporary path on $dest$.
48+
risk_objects:
49+
- field: dest
50+
type: system
51+
score: 50
52+
threat_objects: []
53+
tags:
54+
analytic_story:
55+
- Secret Blizzard
56+
asset_type: Endpoint
57+
mitre_attack_id:
58+
- T1574.001
59+
product:
60+
- Splunk Enterprise
61+
- Splunk Enterprise Security
62+
- Splunk Cloud
63+
security_domain: endpoint
64+
tests:
65+
- name: True Positive Test
66+
attack_data:
67+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
68+
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
69+
sourcetype: XmlWinEventLogle

detections/endpoint/windows_firewallapi_dll_load_from_unusual_path.yml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
name: Windows FirewallAPI DLL Load from Unusual Path
2+
id: e87342ac-ca3f-462c-a183-31c51c2f5259
3+
version: 1
4+
date: '2025-08-06'
5+
author: Teoderick Contreras, Splunk
6+
status: production
7+
type: Anomaly
8+
description: The following analytic detects suspicious process behavior where firewallapi.dll—a legitimate Windows library responsible for interacting with the Windows Firewall—is loaded from a temporary directory (e.g., %TEMP%, %APPDATA%, or similar non-standard paths). This is highly atypical, as firewallapi.dll is normally loaded from trusted system locations such as C:\Windows\System32. Loading it from an alternate or user-writable path may indicate DLL search order hijacking, sideloading, or masquerading, techniques commonly used by adversaries to execute code with elevated privileges or bypass security controls. This behavior should be treated as potentially malicious, particularly when observed in conjunction with unsigned binaries, unexpected parent processes, or indicators of privilege escalation and persistence.
9+
data_source:
10+
- Sysmon EventID 7
11+
search: '`sysmon` EventCode=7 AND ImageLoaded = "*\\FirewallAPI.dll" AND NOT ImageLoaded IN ("c:\\windows\\system32\\*", "c:\\windows\\syswow64\\*")
12+
| fillnull
13+
| stats count min(_time) as firstTime max(_time) as lastTime
14+
by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
15+
process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists
16+
service_dll_signature_verified signature signature_id user_id vendor_product
17+
| `security_content_ctime(firstTime)`
18+
| `security_content_ctime(lastTime)`
19+
| `windows_firewallapi_dll_load_from_unusual_path_filter`'
20+
how_to_implement: To successfully implement this search, you need to be ingesting
21+
logs with the process name and imageloaded executions from your endpoints. If you
22+
are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
23+
known_false_positives: Legitimate windows application that are not on the list loading
24+
this dll. Filter as needed.
25+
references:
26+
- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
27+
drilldown_searches:
28+
- name: View the detection results for - "$__UPDATE__FIRST_RISK_OBJECT$" and "$__UPDATE__SECOND_RISK_OBJECT$"
29+
search: '%original_detection_search% | search "$__UPDATE__FIRST_RISK_OBJECT = "$__UPDATE__FIRST_RISK_OBJECT$"
30+
second_observable_type_here = "$__UPDATE__SECOND_RISK_OBJECT$"'
31+
earliest_offset: $info_min_time$
32+
latest_offset: $info_max_time$
33+
- name: View the detection results for - "$dest$"
34+
search: '%original_detection_search% | search dest = "$dest$"'
35+
earliest_offset: $info_min_time$
36+
latest_offset: $info_max_time$
37+
- name: View risk events for the last 7 days for - "$dest$"
38+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
39+
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
40+
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
41+
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
42+
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
43+
| `security_content_ctime(lastTime)`'
44+
earliest_offset: $info_min_time$
45+
latest_offset: $info_max_time$
46+
rba:
47+
message: FirewallAPI.dll loaded from a non-standard Windows module path on $dest$.
48+
risk_objects:
49+
- field: dest
50+
type: system
51+
score: 30
52+
threat_objects: []
53+
tags:
54+
analytic_story:
55+
- Secret Blizzard
56+
asset_type: Endpoint
57+
mitre_attack_id:
58+
- T1574.001
59+
product:
60+
- Splunk Enterprise
61+
- Splunk Enterprise Security
62+
- Splunk Cloud
63+
security_domain: endpoint
64+
tests:
65+
- name: True Positive Test
66+
attack_data:
67+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log
68+
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
69+
sourcetype: XmlWinEventLogle

0 commit comments

Comments
 (0)