From 06cb9fe29d02d69627c861ceedbdcc8ef59a2c57 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Sep 2025 09:55:05 +0200 Subject: [PATCH 1/4] promptlock --- ...m___curl_execution_with_insecure_flags.yml | 66 ++++++++++--------- ..._or_script_creation_in_suspicious_path.yml | 5 +- ...tables_or_script_creation_in_temp_path.yml | 54 ++++++++------- ...dows_curl_upload_to_remote_destination.yml | 54 ++++++++------- .../windows_process_execution_in_temp_dir.yml | 5 +- .../windows_suspicious_process_file_path.yml | 5 +- stories/promptlock.yml | 19 ++++++ 7 files changed, 123 insertions(+), 85 deletions(-) create mode 100644 stories/promptlock.yml diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index 4a4cc8fbb8..36c7fa5115 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Curl Execution With Insecure Flags id: cc695238-3117-4e60-aa83-4beac2a42c69 -version: 1 -date: '2025-07-01' +version: 2 +date: '2025-09-10' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -13,7 +13,7 @@ description: | This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints, a common tactic in red team operations, malware staging, or data exfiltration over HTTPS. data_source: - - Cisco Network Visibility Module Flow Data +- Cisco Network Visibility Module Flow Data search: | `cisco_network_visibility_module_flowdata` process_name = "curl.exe" @@ -56,42 +56,46 @@ known_false_positives: | Usage of these flags to reach public IPs or uncommon destinations should be reviewed. Tuning may be required for domains with known certificate issues. references: - - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ +- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ drilldown_searches: - - name: View the detection results for - "$src$" - search: '%original_detection_search% | search src = "$src$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$src$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: The host $src$ executed curl with insecure flags and communicated with $dest$ / $dest_hostname$ over port $dest_port$ + message: The host $src$ executed curl with insecure flags and communicated + with $dest$ / $dest_hostname$ over port $dest_port$ risk_objects: - - field: src - type: system - score: 30 + - field: src + type: system + score: 30 threat_objects: - - field: process_name - type: process_name + - field: process_name + type: process_name tags: analytic_story: - - Cisco Network Visibility Module Analytics + - Cisco Network Visibility Module Analytics + - PromptLock asset_type: Endpoint mitre_attack_id: - - T1197 + - T1197 product: - - Splunk Enterprise - - Splunk Enterprise Security + - Splunk Enterprise + - Splunk Enterprise Security security_domain: endpoint tests: - - name: True Positive Test - Cisco NVM - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log - source: not_applicable - sourcetype: cisco:nvm:flowdata +- name: True Positive Test - Cisco NVM + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log + source: not_applicable + sourcetype: cisco:nvm:flowdata diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index f77b167c82..e0b31e192b 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 18 -date: '2025-07-28' +version: 19 +date: '2025-09-10' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -114,6 +114,7 @@ tags: - Interlock Ransomware - Interlock Rat - NailaoLocker Ransomware + - PromptLock asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 47b18998c3..cb9a3b1c84 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,34 +1,37 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 15 -date: '2025-08-07' +version: 16 +date: '2025-09-10' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies the creation of executables or scripts - in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem - data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created - in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is - significant as adversaries often use these paths to evade detection and maintain - persistence. If confirmed malicious, this behavior could allow attackers to execute - unauthorized code, escalate privileges, or persist within the environment, posing - a significant security threat. +description: The following analytic identifies the creation of executables or + scripts in suspicious file paths on Windows systems. It leverages the + Endpoint.Filesystem data model to detect files with specific extensions (e.g., + .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, + \users\public\). This activity is significant as adversaries often use these + paths to evade detection and maintain persistence. If confirmed malicious, + this behavior could allow attackers to execute unauthorized code, escalate + privileges, or persist within the environment, posing a significant security + threat. data_source: - Sysmon EventID 11 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", - "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", - "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action Filesystem.dest Filesystem.file_access_time - Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name - Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid - Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the Filesystem responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Filesystem` node. -known_false_positives: Administrators may allow creation of script or exe in the paths - specified. Filter as needed. + "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN + ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action + Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash + Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl + Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user + Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`' +how_to_implement: To successfully implement this search you need to be ingesting + information on process that include the name of the Filesystem responsible for + the changes from your endpoints into the `Endpoint` datamodel in the + `Filesystem` node. +known_false_positives: Administrators may allow creation of script or exe in the + paths specified. Filter as needed. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ @@ -49,8 +52,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Potentially suspicious executable or script with file name $file_name$, - $file_path$ and process_id $process_id$ was created in temporary folder by $user$ + message: Potentially suspicious executable or script with file name + $file_name$, $file_path$ and process_id $process_id$ was created in + temporary folder by $user$ risk_objects: - field: user type: user @@ -102,6 +106,7 @@ tags: - Amadey - IcedID - Interlock Rat + - PromptLock asset_type: Endpoint mitre_attack_id: - T1036 @@ -113,6 +118,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index fc2336e6a9..ea979ad5b1 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,17 +1,18 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: 10 -date: '2025-06-20' +version: 11 +date: '2025-09-10' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of Windows Curl.exe to upload - a file to a remote destination. It identifies command-line arguments such as `-T`, - `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity - is significant because adversaries may use Curl to exfiltrate data or upload malicious - payloads. If confirmed malicious, this could lead to data breaches or further compromise - of the system. Analysts should review parallel processes and network logs to determine - if the upload was successful and isolate the endpoint if necessary. +description: The following analytic detects the use of Windows Curl.exe to + upload a file to a remote destination. It identifies command-line arguments + such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution + logs. This activity is significant because adversaries may use Curl to + exfiltrate data or upload malicious payloads. If confirmed malicious, this + could lead to data breaches or further compromise of the system. Analysts + should review parallel processes and network logs to determine if the upload + was successful and isolate the endpoint if necessary. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 @@ -27,17 +28,18 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives may be limited to source control applications - and may be required to be filtered out. +how_to_implement: The detection is based on data that originates from Endpoint + Detection and Response (EDR) agents. These agents are designed to provide + security-related telemetry from the endpoints where the agent is installed. To + implement this search, you must ingest logs that contain the process GUID, + process name, and parent process. Additionally, you must ingest complete + command-line executions. These logs must be processed using the appropriate + Splunk Technology Add-ons that are specific to the EDR product. The logs must + also be mapped to the `Processes` node of the `Endpoint` data model. Use the + Splunk Common Information Model (CIM) to normalize the field names and speed + up the data modeling process. +known_false_positives: False positives may be limited to source control + applications and may be required to be filtered out. references: - https://everything.curl.dev/usingcurl/uploads - https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409 @@ -57,8 +59,9 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$ uploading a file to a remote destination. + message: An instance of $parent_process_name$ spawning $process_name$ was + identified on endpoint $dest$ by user $user$ uploading a file to a remote + destination. risk_objects: - field: user type: user @@ -76,6 +79,7 @@ tags: - Compromised Windows Host - Ingress Tool Transfer - Cisco Network Visibility Module Analytics + - PromptLock asset_type: Endpoint mitre_attack_id: - T1105 @@ -87,11 +91,13 @@ tags: tests: - name: True Positive Test - Sysmon attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog - name: True Positive Test - Cisco NVM attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log source: not_applicable sourcetype: cisco:nvm:flowdata diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 64869cd130..4237d5d56b 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 5 -date: '2025-08-20' +version: 6 +date: '2025-09-10' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -80,6 +80,7 @@ tags: - Qakbot - Trickbot - PathWiper + - PromptLock asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 75ca85c3bd..1d8355ee5b 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 15 -date: '2025-07-28' +version: 16 +date: '2025-09-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -122,6 +122,7 @@ tags: - Interlock Ransomware - Interlock Rat - NailaoLocker Ransomware + - PromptLock asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/stories/promptlock.yml b/stories/promptlock.yml new file mode 100644 index 0000000000..85344cf690 --- /dev/null +++ b/stories/promptlock.yml @@ -0,0 +1,19 @@ +name: PromptLock +id: e86c8a7b-28f3-4aca-b6fa-50f4e8af2d2e +version: 1 +date: '2025-09-09' +author: Teoderick Contreras, Splunk +status: production +description: PromptLock is a proof-of-concept ransomware identified by ESET in August 2025, marking the first known instance of malware utilizing generative artificial intelligence (GenAI) for attack execution. Unlike traditional ransomware, PromptLock employs a locally hosted AI language model, specifically OpenAI's gpt-oss:20b, accessed via the Ollama API, to dynamically generate malicious Lua scripts in real time. These scripts are compatible across multiple platforms, including Windows, Linux, and macOS. During an infection, PromptLock autonomously determines which files to target for exfiltration or encryption based on predefined prompts, allowing it to adapt its behavior to the environment. The malware utilizes the SPECK 128-bit encryption algorithm and is written in Golang. While ESET considers PromptLock a proof of concept, its capabilities highlight the potential for AI to significantly enhance the sophistication and adaptability of ransomware attacks. +narrative: In August 2025, ESET researchers uncovered PromptLock, a proof-of-concept ransomware that represents a new frontier in cyber threats. Unlike conventional ransomware, PromptLock leverages generative artificial intelligence to autonomously create malicious scripts tailored to its environment. Using a locally hosted AI language model accessed through the Ollama API, it generates Lua scripts on the fly, enabling it to adapt dynamically to different operating systems, including Windows, macOS, and Linux. The malware can identify and target files for encryption or exfiltration based on contextual prompts, demonstrating a level of adaptability previously unseen in ransomware. Written in Golang and employing SPECK 128-bit encryption, PromptLock exemplifies how AI can enhance both the sophistication and evasiveness of malicious software. While currently a proof of concept, its discovery underscores the emerging risk of AI-driven cyberattacks and highlights the need for vigilant, forward-looking cybersecurity measures. +references: + - https://x.com/ESETresearch/status/1963209716684718315 + - https://arxiv.org/pdf/2508.20444 +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From b3c9f1a71947fa540bd393972df0e310d5c260f5 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Sep 2025 10:01:04 +0200 Subject: [PATCH 2/4] promptlock --- detections/endpoint/windows_process_execution_in_temp_dir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 4237d5d56b..eca67ca707 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,6 +1,6 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 6 +version: 5 date: '2025-09-10' author: Teoderick Contreras, Splunk status: production From 889a9e4dc1ef9feb6fe38cb1c3bbe3421895cb46 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 29 Sep 2025 12:11:02 -0700 Subject: [PATCH 3/4] Update cisco_nvm___curl_execution_with_insecure_flags.yml --- .../endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index 778ea00125..1de9e7d4d6 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Curl Execution With Insecure Flags id: cc695238-3117-4e60-aa83-4beac2a42c69 -version: 2 +version: 3 date: '2025-09-10' author: Nasreddine Bencherchali, Splunk status: production From 67217949341f739d3415956c5a4bd59114c6cda1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 29 Sep 2025 12:11:26 -0700 Subject: [PATCH 4/4] Update windows_process_execution_in_temp_dir.yml --- detections/endpoint/windows_process_execution_in_temp_dir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index eca67ca707..4237d5d56b 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,6 +1,6 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 5 +version: 6 date: '2025-09-10' author: Teoderick Contreras, Splunk status: production