Merge pull request #3679 from splunk/promptlock

promptlock

Author: patel-bhavin

detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml

@@ -1,7 +1,7 @@
 name: Cisco NVM - Curl Execution With Insecure Flags
 id: cc695238-3117-4e60-aa83-4beac2a42c69
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-10'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -13,7 +13,7 @@ description: |
   This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints,
   a common tactic in red team operations, malware staging, or data exfiltration over HTTPS.
 data_source:
-  - Cisco Network Visibility Module Flow Data
+- Cisco Network Visibility Module Flow Data
 search: |
   `cisco_network_visibility_module_flowdata`
   process_name = "curl.exe"
@@ -56,39 +56,41 @@ known_false_positives: |
   Usage of these flags to reach public IPs or uncommon destinations should be reviewed.
   Tuning may be required for domains with known certificate issues.
 references:
-  - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
+- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
 drilldown_searches:
-  - name: View the detection results for - "$src$"
-    search: '%original_detection_search% | search  src = "$src$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$src$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time)
-      as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
-      as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
-  message: The host $src$ executed curl with insecure flags and communicated with $dest$ / $dest_hostname$ over port $dest_port$
+  message: The host $src$ executed curl with insecure flags and communicated 
+    with $dest$ / $dest_hostname$ over port $dest_port$
   risk_objects:
-    - field: src
-      type: system
-      score: 30
+  - field: src
+    type: system
+    score: 30
   threat_objects:
-    - field: process_name
-      type: process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
-    - Cisco Network Visibility Module Analytics
+  - Cisco Network Visibility Module Analytics
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
-    - T1197
+  - T1197
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
+  - Splunk Enterprise
+  - Splunk Enterprise Security
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -114,6 +114,7 @@ tags:
   - Interlock Ransomware
   - Interlock Rat
   - NailaoLocker Ransomware
+  - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,34 +1,37 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 15
-date: '2025-08-07'
+version: 16
+date: '2025-09-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies the creation of executables or scripts
-  in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem
-  data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created
-  in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is
-  significant as adversaries often use these paths to evade detection and maintain
-  persistence. If confirmed malicious, this behavior could allow attackers to execute
-  unauthorized code, escalate privileges, or persist within the environment, posing
-  a significant security threat.
+description: The following analytic identifies the creation of executables or 
+  scripts in suspicious file paths on Windows systems. It leverages the 
+  Endpoint.Filesystem data model to detect files with specific extensions (e.g.,
+  .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, 
+  \users\public\). This activity is significant as adversaries often use these 
+  paths to evade detection and maintain persistence. If confirmed malicious, 
+  this behavior could allow attackers to execute unauthorized code, escalate 
+  privileges, or persist within the environment, posing a significant security 
+  threat.
 data_source:
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*",
-  "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action Filesystem.dest Filesystem.file_access_time
-  Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name
-  Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
-  Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
-  on process that include the name of the Filesystem responsible for the changes from
-  your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
-known_false_positives: Administrators may allow creation of script or exe in the paths
-  specified. Filter as needed.
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN
+  ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action
+  Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
+  Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl
+  Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
+  Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting
+  information on process that include the name of the Filesystem responsible for
+  the changes from your endpoints into the `Endpoint` datamodel in the 
+  `Filesystem` node.
+known_false_positives: Administrators may allow creation of script or exe in the
+  paths specified. Filter as needed.
 references:
 - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -49,8 +52,9 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potentially suspicious executable or script with file name $file_name$,
-    $file_path$ and process_id $process_id$ was created in temporary folder by $user$
+  message: Potentially suspicious executable or script with file name 
+    $file_name$, $file_path$ and process_id $process_id$ was created in 
+    temporary folder by $user$
   risk_objects:
   - field: user
     type: user
@@ -102,6 +106,7 @@ tags:
   - Amadey
   - IcedID
   - Interlock Rat
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
   - T1036
@@ -113,6 +118,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/windows_curl_upload_to_remote_destination.yml

@@ -1,18 +1,18 @@
 name: Windows Curl Upload to Remote Destination
 id: 42f8f1a2-4228-11ec-aade-acde48001122
-version: 10
-date: '2025-06-20'
+version: 11
+date: '2025-09-10'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description:
-  The following analytic detects the use of Windows Curl.exe to upload
-  a file to a remote destination. It identifies command-line arguments such as `-T`,
-  `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity
-  is significant because adversaries may use Curl to exfiltrate data or upload malicious
-  payloads. If confirmed malicious, this could lead to data breaches or further compromise
-  of the system. Analysts should review parallel processes and network logs to determine
-  if the upload was successful and isolate the endpoint if necessary.
+description: The following analytic detects the use of Windows Curl.exe to 
+  upload a file to a remote destination. It identifies command-line arguments 
+  such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution 
+  logs. This activity is significant because adversaries may use Curl to 
+  exfiltrate data or upload malicious payloads. If confirmed malicious, this 
+  could lead to data breaches or further compromise of the system. Analysts 
+  should review parallel processes and network logs to determine if the upload 
+  was successful and isolate the endpoint if necessary.
 data_source:
   - Sysmon EventID 1
   - Windows Event Log Security 4688
@@ -29,19 +29,18 @@ search:
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_curl_upload_to_remote_destination_filter`'
-how_to_implement:
-  The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives:
-  False positives may be limited to source control applications
-  and may be required to be filtered out.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: False positives may be limited to source control 
+  applications and may be required to be filtered out.
 references:
   - https://everything.curl.dev/usingcurl/uploads
   - https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409
@@ -62,9 +61,9 @@ drilldown_searches:
     earliest_offset: $info_min_time$
     latest_offset: $info_max_time$
 rba:
-  message:
-    An instance of $parent_process_name$ spawning $process_name$ was identified
-    on endpoint $dest$ by user $user$ uploading a file to a remote destination.
+  message: An instance of $parent_process_name$ spawning $process_name$ was 
+    identified on endpoint $dest$ by user $user$ uploading a file to a remote 
+    destination.
   risk_objects:
     - field: user
       type: user
@@ -79,9 +78,10 @@ rba:
       type: process_name
 tags:
   analytic_story:
-    - Compromised Windows Host
-    - Ingress Tool Transfer
-    - Cisco Network Visibility Module Analytics
+  - Compromised Windows Host
+  - Ingress Tool Transfer
+  - Cisco Network Visibility Module Analytics
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
     - T1105

detections/endpoint/windows_process_execution_in_temp_dir.yml

@@ -1,7 +1,7 @@
 name: Windows Process Execution in Temp Dir
 id: f6fbe929-4187-4ba4-901e-8a34be838443
-version: 5
-date: '2025-08-20'
+version: 6
+date: '2025-09-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -80,6 +80,7 @@ tags:
   - Qakbot
   - Trickbot
   - PathWiper
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
   - T1543

detections/endpoint/windows_suspicious_process_file_path.yml

@@ -122,6 +122,7 @@ tags:
   - Interlock Ransomware
   - Interlock Rat
   - NailaoLocker Ransomware
+  - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:

stories/promptlock.yml

@@ -0,0 +1,19 @@
+name: PromptLock
+id: e86c8a7b-28f3-4aca-b6fa-50f4e8af2d2e
+version: 1
+date: '2025-09-09'
+author: Teoderick Contreras, Splunk
+status: production
+description: PromptLock is a proof-of-concept ransomware identified by ESET in August 2025, marking the first known instance of malware utilizing generative artificial intelligence (GenAI) for attack execution. Unlike traditional ransomware, PromptLock employs a locally hosted AI language model, specifically OpenAI's gpt-oss:20b, accessed via the Ollama API, to dynamically generate malicious Lua scripts in real time. These scripts are compatible across multiple platforms, including Windows, Linux, and macOS. During an infection, PromptLock autonomously determines which files to target for exfiltration or encryption based on predefined prompts, allowing it to adapt its behavior to the environment. The malware utilizes the SPECK 128-bit encryption algorithm and is written in Golang. While ESET considers PromptLock a proof of concept, its capabilities highlight the potential for AI to significantly enhance the sophistication and adaptability of ransomware attacks.
+narrative: In August 2025, ESET researchers uncovered PromptLock, a proof-of-concept ransomware that represents a new frontier in cyber threats. Unlike conventional ransomware, PromptLock leverages generative artificial intelligence to autonomously create malicious scripts tailored to its environment. Using a locally hosted AI language model accessed through the Ollama API, it generates Lua scripts on the fly, enabling it to adapt dynamically to different operating systems, including Windows, macOS, and Linux. The malware can identify and target files for encryption or exfiltration based on contextual prompts, demonstrating a level of adaptability previously unseen in ransomware. Written in Golang and employing SPECK 128-bit encryption, PromptLock exemplifies how AI can enhance both the sophistication and evasiveness of malicious software. While currently a proof of concept, its discovery underscores the emerging risk of AI-driven cyberattacks and highlights the need for vigilant, forward-looking cybersecurity measures.
+references:
+  - https://x.com/ESETresearch/status/1963209716684718315
+  - https://arxiv.org/pdf/2508.20444
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection