Merge pull request #3656 from splunk/objectivity_stealer

objectivity_stealer

Author: patel-bhavin

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,17 +1,18 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 14
-date: '2025-08-07'
+version: 15
+date: '2025-08-22'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
-description: The following analytic detects the use of `cmd.exe /c` to execute commands,
-  a technique often employed by adversaries and malware to run batch commands or invoke
-  other shells like PowerShell. This detection leverages data from Endpoint Detection
-  and Response (EDR) agents, focusing on command-line executions and process metadata.
-  Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized
-  command execution. If confirmed malicious, this behavior could lead to unauthorized
-  code execution, privilege escalation, or persistence within the environment.
+description: The following analytic detects the use of `cmd.exe /c` to execute 
+  commands, a technique often employed by adversaries and malware to run batch 
+  commands or invoke other shells like PowerShell. This detection leverages data
+  from Endpoint Detection and Response (EDR) agents, focusing on command-line 
+  executions and process metadata. Monitoring this activity is crucial as it can
+  indicate script-based attacks or unauthorized command execution. If confirmed 
+  malicious, this behavior could lead to unauthorized code execution, privilege 
+  escalation, or persistence within the environment.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -25,17 +26,18 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_carry_out_string_command_parameter_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: False positives may be high based on legitimate scripted code
-  in any environment. Filter as needed.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: False positives may be high based on legitimate scripted 
+  code in any environment. Filter as needed.
 references:
 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -65,6 +67,7 @@ tags:
   - RedLine Stealer
   - Log4Shell CVE-2021-44228
   - Interlock Rat
+  - 0bj3ctivity Stealer
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -78,6 +81,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/download_files_using_telegram.yml

@@ -1,77 +1,76 @@
 name: Download Files Using Telegram
 id: 58194e28-ae5e-11eb-8912-acde48001122
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-08-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description:
-  The following analytic detects suspicious file downloads by the Telegram
-  application on a Windows system. It leverages Sysmon EventCode 15 to identify instances
-  where Telegram.exe creates files with a Zone.Identifier, indicating a download.
-  This activity is significant as it may indicate an adversary using Telegram to download
-  malicious tools, such as network scanners, for further exploitation. If confirmed
-  malicious, this behavior could lead to network mapping, lateral movement, and potential
-  compromise of additional systems within the network.
+description: The following analytic detects suspicious file downloads by the 
+  Telegram application on a Windows system. It leverages Sysmon EventCode 15 to 
+  identify instances where Telegram.exe creates files with a Zone.Identifier, 
+  indicating a download. This activity is significant as it may indicate an 
+  adversary using Telegram to download malicious tools, such as network 
+  scanners, for further exploitation. If confirmed malicious, this behavior 
+  could lead to network mapping, lateral movement, and potential compromise of 
+  additional systems within the network.
 data_source:
-  - Sysmon EventID 15
-search:
-  '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
+- Sysmon EventID 15
+search: '`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
   | stats count min(_time) as firstTime max(_time) as lastTime by dest dvc file_hash
   file_name file_path process_exec process_guid process_id process_name process_path
   signature signature_id user_id vendor_product Contents Image | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`'
-how_to_implement:
-  To successfully implement this search, you need to be ingesting
-  logs with the process name and TargetFilename from your endpoints or Events that
-  monitor filestream events which is happened when process download something. (EventCode
-  15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon
-  TA.
-known_false_positives:
-  normal download of file in telegram app. (if it was a common
-  app in network)
+how_to_implement: To successfully implement this search, you need to be 
+  ingesting logs with the process name and TargetFilename from your endpoints or
+  Events that monitor filestream events which is happened when process download 
+  something. (EventCode 15) If you are using Sysmon, you must have at least 
+  version 6.0.4 of the Sysmon TA.
+known_false_positives: normal download of file in telegram app. (if it was a 
+  common app in network)
 references:
-  - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
+- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
 drilldown_searches:
-  - name: View the detection results for - "$dest$"
-    search: '%original_detection_search% | search  dest = "$dest$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$dest$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
-  message: Suspicious files were downloaded with the Telegram application on $dest$
+  message: Suspicious files were downloaded with the Telegram application on 
+    $dest$
   risk_objects:
-    - field: dest
-      type: system
-      score: 49
+  - field: dest
+    type: system
+    score: 49
   threat_objects: []
 tags:
   analytic_story:
-    - Phemedrone Stealer
-    - Crypto Stealer
-    - Snake Keylogger
-    - XMRig
-    - Water Gamayun
+  - Phemedrone Stealer
+  - Crypto Stealer
+  - Snake Keylogger
+  - XMRig
+  - Water Gamayun
+  - 0bj3ctivity Stealer
   asset_type: Endpoint
   mitre_attack_id:
-    - T1105
+  - T1105
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
-    - Splunk Cloud
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
-  - name: True Positive Test
-    attack_data:
-      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log
-        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-        sourcetype: XmlWinEventLog
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/minergate/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml

@@ -1,18 +1,19 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: '14'
-date: '2025-05-06'
+version: 15
+date: '2025-08-22'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects PowerShell processes initiated with parameters
-  that bypass the local execution policy for scripts. It leverages data from Endpoint
-  Detection and Response (EDR) agents, focusing on command-line executions containing
-  specific flags like "-ex" or "bypass." This activity is significant because bypassing
-  execution policies is a common tactic used by attackers to run malicious scripts
-  undetected. If confirmed malicious, this could allow an attacker to execute arbitrary
-  code, potentially leading to further system compromise, data exfiltration, or persistent
-  access within the environment.
+description: The following analytic detects PowerShell processes initiated with 
+  parameters that bypass the local execution policy for scripts. It leverages 
+  data from Endpoint Detection and Response (EDR) agents, focusing on 
+  command-line executions containing specific flags like "-ex" or "bypass." This
+  activity is significant because bypassing execution policies is a common 
+  tactic used by attackers to run malicious scripts undetected. If confirmed 
+  malicious, this could allow an attacker to execute arbitrary code, potentially
+  leading to further system compromise, data exfiltration, or persistent access 
+  within the environment.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
@@ -28,18 +29,19 @@ search: '| tstats `security_content_summariesonly` values(Processes.process_id)
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `malicious_powershell_process___execution_policy_bypass_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives: There may be legitimate reasons to bypass the PowerShell execution
-  policy. The PowerShell script being run with this parameter should be validated
-  to ensure that it is legitimate.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: There may be legitimate reasons to bypass the PowerShell 
+  execution policy. The PowerShell script being run with this parameter should 
+  be validated to ensure that it is legitimate.
 references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 drilldown_searches:
@@ -73,6 +75,7 @@ tags:
   - Salt Typhoon
   - XWorm
   - DarkCrystal RAT
+  - 0bj3ctivity Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001
@@ -84,6 +87,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml

@@ -1,29 +1,31 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 11
-date: '2025-07-16'
+version: 12
+date: '2025-08-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects non-Firefox processes accessing the Firefox
-  profile directory, which contains sensitive user data such as login credentials,
-  browsing history, and cookies. It leverages Windows Security Event logs, specifically
-  event code 4663, to monitor access attempts. This activity is significant because
-  it may indicate attempts by malware, such as RATs or trojans, to harvest user information.
-  If confirmed malicious, this behavior could lead to data exfiltration, unauthorized
-  access to user accounts, and further compromise of the affected system.
+description: The following analytic detects non-Firefox processes accessing the 
+  Firefox profile directory, which contains sensitive user data such as login 
+  credentials, browsing history, and cookies. It leverages Windows Security 
+  Event logs, specifically event code 4663, to monitor access attempts. This 
+  activity is significant because it may indicate attempts by malware, such as 
+  RATs or trojans, to harvest user information. If confirmed malicious, this 
+  behavior could lead to data exfiltration, unauthorized access to user 
+  accounts, and further compromise of the affected system.
 data_source:
 - Windows Event Log Security 4663
 search: '`wineventlog_security` EventCode=4663 NOT (ProcessName IN ("*\\firefox.exe",
   "*\\explorer.exe", "*sql*")) ObjectName="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*"
   | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType
   ProcessName AccessMask EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `non_firefox_process_access_firefox_profile_dir_filter`'
-how_to_implement: To successfully implement this search, you must ingest Windows Security
-  Event logs and track event code 4663. For 4663, enable "Audit Object Access" in
-  Group Policy. Then check the two boxes listed for both "Success" and "Failure."
-known_false_positives: other browser not listed related to firefox may catch by this
-  rule.
+how_to_implement: To successfully implement this search, you must ingest Windows
+  Security Event logs and track event code 4663. For 4663, enable "Audit Object 
+  Access" in Group Policy. Then check the two boxes listed for both "Success" 
+  and "Failure."
+known_false_positives: other browser not listed related to firefox may catch by 
+  this rule.
 references: []
 drilldown_searches:
 - name: View the detection results for - "$dest$"
@@ -65,6 +67,7 @@ tags:
   - FIN7
   - Snake Keylogger
   - China-Nexus Threat Activity
+  - 0bj3ctivity Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1555.003
@@ -76,6 +79,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog