Merge pull request #3633 from splunk/3886

Detections for 3886

Author: patel-bhavin

detections/application/esxi_firewall_disabled.yml

@@ -1,7 +1,7 @@
 name: ESXi Firewall Disabled
 id: e321804c-8eb5-42f2-a843-36b289a6c6b2
-version: 1
-date: '2025-05-12'
+version: 2
+date: '2025-08-06'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -47,6 +47,7 @@ tags:
   analytic_story:
   - ESXi Post Compromise
   - Black Basta Ransomware
+  - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
   - T1562.004

detections/application/esxi_malicious_vib_forced_install.yml

@@ -1,7 +1,7 @@
 name: ESXi Malicious VIB Forced Install
 id: 5d4d2cd2-7b65-4474-97cf-e9b203bcd770
-version: 1
-date: '2025-05-09'
+version: 2
+date: '2025-08-06'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -54,6 +54,7 @@ tags:
   analytic_story:
   - ESXi Post Compromise
   - Black Basta Ransomware
+  - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
   - T1505.006

detections/application/esxi_sensitive_files_accessed.yml

@@ -1,7 +1,7 @@
 name: ESXi Sensitive Files Accessed
 id: 6fa0073d-6ca0-4f93-913d-fb420c9de15b
-version: 1
-date: '2025-05-19'
+version: 2
+date: '2025-08-06'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -50,6 +50,7 @@ tags:
   analytic_story:
   - ESXi Post Compromise
   - Black Basta Ransomware
+  - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
   - T1003.008

detections/application/esxi_vib_acceptance_level_tampering.yml

@@ -1,7 +1,7 @@
 name: ESXi VIB Acceptance Level Tampering
 id: d051d94f-c792-445e-b5d2-0b904f93ac09
-version: 1
-date: '2025-05-15'
+version: 2
+date: '2025-08-06'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -49,6 +49,7 @@ tags:
   analytic_story:
   - ESXi Post Compromise
   - Black Basta Ransomware
+  - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
   - T1562

detections/application/esxi_vm_discovery.yml

@@ -1,7 +1,7 @@
 name: ESXi VM Discovery
 id: 5643cdc9-a0be-4123-860b-f13da0bf4fcb
-version: 1
-date: '2025-05-15'
+version: 2
+date: '2025-08-06'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -49,6 +49,7 @@ tags:
   analytic_story:
   - ESXi Post Compromise
   - Black Basta Ransomware
+  - China-Nexus Threat Activity
   asset_type: Infrastructure
   mitre_attack_id:
   - T1673

detections/endpoint/linux_gdrive_binary_activity.yml

@@ -0,0 +1,78 @@
+name: Linux Gdrive Binary Activity
+id: a42f8029-5472-4c33-8943-bb17bb07466a
+version: 1
+date: '2025-08-01'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the execution of the 'gdrive' tool on a
+  Linux host. This tool allows standard users to perform tasks associated with Google Drive
+  via the command line. This is used by actors to stage tools as well as exfiltrate data.
+  The detection leverages data from Endpoint Detection and Response
+  (EDR) agents, focusing on process names and command-line executions. If confirmed malicious, 
+  this could lead to compromise of systems or sensitive data being stolen.
+data_source:
+- Sysmon for Linux EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_name="gdrive"
+  Processes.process IN  ("* download *", "* upload *", "* list*", "* update *",
+  "* sync *", "* share *", "* account add*", "* drives *", "* files *") by Processes.action Processes.dest
+  Processes.original_file_name Processes.parent_process Processes.parent_process_exec
+  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
+  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
+  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
+  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `linux_gdrive_binary_activity_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $process_name$ was identified
+    attempting to interact with Google Drive on endpoint $dest$ by $user$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 49
+  threat_objects: []
+tags:
+  analytic_story:
+  - China-Nexus Threat Activity
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1567
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log
+    sourcetype: sysmon:linux
+    source: Syslog:Linux-Sysmon/Operational

detections/endpoint/linux_medusa_rootkit.yml

@@ -0,0 +1,76 @@
+name: Linux Medusa Rootkit
+id: 7add8520-71d5-43aa-b262-ee082b1f0238
+version: 1
+date: '2025-08-05'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: This detection identifies file creation events associated with the installation of the Medusa 
+  rootkit, a userland LD_PRELOAD-based rootkit known for deploying shared objects, loader binaries, and
+  configuration files into specific system directories. These files typically facilitate process hiding, 
+  credential theft, and backdoor access. Monitoring for such file creation patterns enables early 
+  detection of rootkit deployment before full compromise.
+data_source:
+- Sysmon for Linux EventID 11
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/lib/libseconf", 
+  "*.backup_ld.so", "*.boot.sh", "*.logpam", "*sshpass.txt", "*sshpass2.txt", "*/lib/libdsx.so", 
+  "*rkload", "*/lib/libseconf/local.txt", "*/lib/locate/local.txt", "*/var/log/remote.txt", 
+  "*/lib/libseconf/.pts", "*/lib/locate /.pts", "*/libseconf/.ports")
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
+  Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
+  Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
+  Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` |
+  `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_medusa_rootkit_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Little to no false positives in most environments. Tune as needed.
+references:
+- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Medusa rootkit files were identified on endpoint $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 62
+  threat_objects: []
+tags:
+  analytic_story:
+  - China-Nexus Threat Activity
+  - Medusa Rootkit
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1014
+  - T1589.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log
+    source: Syslog:Linux-Sysmon/Operational
+    sourcetype: sysmon:linux

detections/endpoint/linux_service_file_created_in_systemd_directory.yml

@@ -1,7 +1,7 @@
 name: Linux Service File Created In Systemd Directory
 id: c7495048-61b6-11ec-9a37-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-08-06'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -65,6 +65,7 @@ tags:
   - Linux Living Off The Land
   - Scheduled Tasks
   - Gomir
+  - China-Nexus Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.006

detections/endpoint/windows_gdrive_binary_activity.yml

@@ -0,0 +1,81 @@
+name: Windows Gdrive Binary Activity
+id: 9e7bd7c8-1c08-496e-9ffe-fd84ceb322e7
+version: 1
+date: '2025-08-01'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the execution of the 'gdrive' tool on a
+  Windows host. This tool allows standard users to perform tasks associated with Google Drive
+  via the command line. This is used by actors to stage tools as well as exfiltrate data.
+  The detection leverages data from Endpoint Detection and Response
+  (EDR) agents, focusing on process names and command-line executions. If confirmed malicious, 
+  this could lead to compromise of systems or sensitive data being stolen.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="gdrive.exe" OR 
+  Processes.original_file_name="*gdrive.exe") Processes.process IN  ("* download *", "* upload *", 
+  "* list*", "* update *", "* sync *", "* share *", "* account add*", "* drives *", "* files *")
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process 
+  Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id 
+  Processes.process_integrity_level Processes.process_name
+  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `windows_gdrive_binary_activity_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
+references:
+- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $process_name$ was identified
+    attempting to interact with Google Drive on endpoint $dest$ by $user$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 49
+  threat_objects: []
+tags:
+  analytic_story:
+  - China-Nexus Threat Activity
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1567
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog