Merge pull request #3513 from splunk/xworm

xworm

Author: patel-bhavin

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 9
-date: '2025-05-02'
+version: '10'
+date: '2025-05-06'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -68,14 +68,15 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - CISA AA22-320A
+  - Compromised Windows Host
   - AgentTesla
-  - Remcos
   - Data Destruction
-  - Compromised Windows Host
+  - Remcos
+  - CISA AA22-320A
   - ValleyRAT
-  - Windows Defense Evasion Tactics
+  - XWorm
   - WhisperGate
+  - Windows Defense Evasion Tactics
   - Crypto Stealer
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 14
-date: '2025-05-02'
+version: '15'
+date: '2025-05-06'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -74,19 +74,20 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Data Destruction
+  - Log4Shell CVE-2021-44228
+  - Phemedrone Stealer
   - Malicious PowerShell
+  - PXA Stealer
   - China-Nexus Threat Activity
+  - Data Destruction
+  - Braodo Stealer
+  - PHP-CGI RCE Attack on Japanese Organizations
   - Hermetic Wiper
-  - DarkCrystal RAT
-  - Phemedrone Stealer
-  - PXA Stealer
-  - Log4Shell CVE-2021-44228
+  - Ingress Tool Transfer
   - Salt Typhoon
-  - Braodo Stealer
+  - XWorm
+  - DarkCrystal RAT
   - Crypto Stealer
-  - Ingress Tool Transfer
-  - PHP-CGI RCE Attack on Japanese Organizations
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/any_powershell_downloadstring.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadString
 id: 4d015ef2-7adf-11eb-95da-acde48001122
-version: 11
-date: '2025-05-02'
+version: '12'
+date: '2025-05-06'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -76,15 +76,16 @@ rba:
 tags:
   analytic_story:
   - Winter Vivern
-  - Ingress Tool Transfer
-  - Hermetic Wiper
+  - Phemedrone Stealer
   - Malicious PowerShell
-  - HAFNIUM Group
   - Data Destruction
-  - IcedID
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
-  - Phemedrone Stealer
   - PHP-CGI RCE Attack on Japanese Organizations
+  - Hermetic Wiper
+  - IcedID
+  - Ingress Tool Transfer
+  - HAFNIUM Group
+  - XWorm
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

detections/endpoint/cmd_carry_out_string_command_parameter.yml

@@ -1,7 +1,7 @@
 name: CMD Carry Out String Command Parameter
 id: 54a6ed00-3256-11ec-b031-acde48001122
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-05-06'
 author: Teoderick Contreras, Bhavin Patel, Splunk
 status: production
 type: Hunting
@@ -17,8 +17,8 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="*
-  /c*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+  as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process IN ("*/c*", "*/k*")
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level

detections/endpoint/detect_mshta_inline_hta_execution.yml

@@ -1,7 +1,7 @@
 name: Detect mshta inline hta execution
 id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: 16
-date: '2025-05-02'
+version: '17'
+date: '2025-05-06'
 author: Bhavin Patel, Michael Haag, Splunk
 status: production
 type: TTP
@@ -75,10 +75,11 @@ rba:
     type: process_name
 tags:
   analytic_story:
+  - Compromised Windows Host
   - Gozi Malware
-  - Suspicious MSHTA Activity
   - Living Off The Land
-  - Compromised Windows Host
+  - Suspicious MSHTA Activity
+  - XWorm
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

detections/endpoint/detect_mshta_url_in_command_line.yml

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 12
-date: '2025-05-02'
+version: '13'
+date: '2025-05-06'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -75,10 +75,11 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Suspicious MSHTA Activity
+  - Compromised Windows Host
   - Lumma Stealer
   - Living Off The Land
-  - Compromised Windows Host
+  - Suspicious MSHTA Activity
+  - XWorm
   asset_type: Endpoint
   mitre_attack_id:
   - T1218.005

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 15
-date: '2025-05-02'
+version: 16
+date: '2025-05-06'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -18,10 +18,10 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
   "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
   "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
-  "*\\Windows\\repair\\*", "*\\AppData\\Local\\Temp*", "*\\PerfLogs\\*", "*:\\temp\\*")
+  "*\\Windows\\repair\\*", "*\\PerfLogs\\*")
   by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
   Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 13
-date: '2025-05-02'
+version: 14
+date: '2025-05-06'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -18,7 +18,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*",
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*",
   "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid

detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 13
-date: '2025-05-02'
+version: '14'
+date: '2025-05-06'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
@@ -21,14 +21,13 @@ search: '| tstats `security_content_summariesonly` values(Processes.process_id)
   process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process)
   as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_powershell` (Processes.process="* -ex*" AND Processes.process="*
-  bypass *") 
-  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
-  Processes.user Processes.user_id Processes.vendor_product 
-  | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`'
+  bypass *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
+  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
+  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `malicious_powershell_process___execution_policy_bypass_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -66,13 +65,14 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - DHS Report TA18-074A
+  - Volt Typhoon
   - China-Nexus Threat Activity
   - AsyncRAT
-  - DarkCrystal RAT
-  - Volt Typhoon
-  - Salt Typhoon
   - HAFNIUM Group
-  - DHS Report TA18-074A
+  - Salt Typhoon
+  - XWorm
+  - DarkCrystal RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

detections/endpoint/powershell_4104_hunting.yml

@@ -1,12 +1,11 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 16
-date: '2025-05-02'
+version: '17'
+date: '2025-05-06'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
-description:
-  The following analytic identifies suspicious PowerShell execution using
+description: The following analytic identifies suspicious PowerShell execution using
   Script Block Logging (EventCode 4104). It leverages specific patterns and keywords
   within the ScriptBlockText field to detect potentially malicious activities. This
   detection is significant for SOC analysts as PowerShell is commonly used by attackers
@@ -15,9 +14,8 @@ description:
   execute arbitrary commands, exfiltrate data, or maintain long-term access to the
   compromised system, posing a severe threat to the organization's security.
 data_source:
-  - Powershell Script Block Logging 4104
-search:
-  '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"),
+- Powershell Script Block Logging 4104
+search: '`powershell` EventCode=4104 | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"),
   "4", 0) | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)")
   OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0) |
   eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0)
@@ -45,52 +43,52 @@ search:
   compressed, downgrade, iex, mimikatz, rundll32, empire, webclient, syswow64, httplocal,
   reflection, invokewmi, invokecmd, base64, get, suspcmdlet, suspkeywrd | rename Computer
   as dest, UserID as user | `powershell_4104_hunting_filter`'
-how_to_implement:
-  The following Hunting analytic requires PowerShell operational logs
+how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
 known_false_positives: Limited false positives. May filter as needed.
 references:
-  - https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md
-  - https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell
-  - https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt
-  - https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
-  - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1
-  - https://www.mandiant.com/resources/greater-visibilityt
-  - https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/
-  - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
-  - https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/
+- https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/powershell_qualifiers.md
+- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell
+- https://github.com/marcurdy/dfir-toolset/blob/master/Powershell%20Blueteam.txt
+- https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
+- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1
+- https://www.mandiant.com/resources/greater-visibilityt
+- https://hurricanelabs.com/splunk-tutorials/how-to-use-powershell-transcription-logs-in-splunk/
+- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
+- https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/
 tags:
   analytic_story:
-    - Braodo Stealer
-    - Cactus Ransomware
-    - China-Nexus Threat Activity
-    - CISA AA23-347A
-    - CISA AA24-241A
-    - Cleo File Transfer Software
-    - DarkGate Malware
-    - Data Destruction
-    - Flax Typhoon
-    - Hermetic Wiper
-    - Lumma Stealer
-    - Malicious PowerShell
-    - Medusa Ransomware
-    - Rhysida Ransomware
-    - Salt Typhoon
-    - SystemBC
-    - PHP-CGI RCE Attack on Japanese Organizations
-    - Water Gamayun
+  - CISA AA23-347A
+  - China-Nexus Threat Activity
+  - Data Destruction
+  - PHP-CGI RCE Attack on Japanese Organizations
+  - Hermetic Wiper
+  - Medusa Ransomware
+  - Braodo Stealer
+  - Cleo File Transfer Software
+  - Lumma Stealer
+  - Salt Typhoon
+  - Cactus Ransomware
+  - Malicious PowerShell
+  - Water Gamayun
+  - XWorm
+  - Flax Typhoon
+  - CISA AA24-241A
+  - Rhysida Ransomware
+  - SystemBC
+  - DarkGate Malware
   asset_type: Endpoint
   mitre_attack_id:
-    - T1059.001
+  - T1059.001
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
-    - Splunk Cloud
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
-  - name: True Positive Test
-    attack_data:
-      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
-        source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
-        sourcetype: XmlWinEventLog
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: XmlWinEventLog