diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 5cbf185398..34ca23a6d1 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -1,7 +1,7 @@ name: BITSAdmin Download File id: 80630ff4-8e4c-11eb-aab5-acde48001122 -version: 12 -date: '2025-07-29' +version: 13 +date: '2025-09-16' author: Michael Haag, Sittikorn S status: production type: TTP @@ -81,6 +81,7 @@ tags: - Flax Typhoon - Gozi Malware - Scattered Spider + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1197 diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index 8f8ee34724..701f349102 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -1,7 +1,7 @@ name: CertUtil With Decode Argument id: bfe94226-8c10-11eb-a4b3-acde48001122 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -79,6 +79,7 @@ tags: - Forest Blizzard - APT29 Diplomatic Deceptions with WINELOADER - Storm-2460 CLFS Zero Day Exploitation + - GhostRedirector IIS Module and Rungan Backdoor group: - APT29 - Cozy Bear diff --git a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml index 2041860f59..b2ff76c975 100644 --- a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Webserver Download From File Sharing Website id: 1984f997-3b49-4d4b-a7e9-dc5dbf88370e -version: 2 -date: '2025-09-09' +version: 3 +date: '2025-09-16' author: Nasreddine Bencherchali, Splunk status: production type: TTP @@ -86,6 +86,7 @@ drilldown_searches: latest_offset: $info_max_time$ tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Cisco Network Visibility Module Analytics asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 87893ad201..17ff3a3ba3 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -1,7 +1,7 @@ name: Detect Exchange Web Shell id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a -version: 12 -date: '2025-05-02' +version: 13 +date: '2025-09-16' author: Michael Haag, Shannon Davis, David Dorsey, Splunk status: production type: TTP @@ -73,6 +73,7 @@ tags: - Compromised Windows Host - BlackByte Ransomware - Seashell Blizzard + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1133 diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index 691427139d..2ecaa67757 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 10 -date: '2025-07-29' +version: 11 +date: '2025-09-16' author: Steven Dick status: production type: Anomaly @@ -90,6 +90,7 @@ tags: - Seashell Blizzard - Scattered Spider - Interlock Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1219 diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 1480d189cf..222b356814 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 10 -date: '2025-07-29' +version: 11 +date: '2025-09-16' author: Steven Dick, Sebastian Wurl, Splunk Community status: production type: Anomaly @@ -104,6 +104,7 @@ tags: - Seashell Blizzard - Scattered Spider - Interlock Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1219 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index f77b167c82..b860862af6 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 18 -date: '2025-07-28' +version: 19 +date: '2025-09-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -114,6 +114,7 @@ tags: - Interlock Ransomware - Interlock Rat - NailaoLocker Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index cc3568e2e1..7e2559f0e8 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -1,7 +1,7 @@ name: Headless Browser Mockbin or Mocky Request id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -65,6 +65,7 @@ rba: tags: analytic_story: - Forest Blizzard + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint atomic_guid: [] mitre_attack_id: diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index 2b3b6bd436..e679cc9ffb 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,7 +1,7 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 11 -date: '2025-05-26' +version: 12 +date: '2025-09-16' author: Steven Dick status: production type: TTP @@ -74,6 +74,7 @@ tags: - Living Off The Land - Malicious Inno Setup Loader - Water Gamayun + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index a71722d49f..b5462d6577 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 16 -date: '2025-07-29' +version: 17 +date: '2025-09-16' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting @@ -62,6 +62,7 @@ tags: - Crypto Stealer - Microsoft SharePoint Vulnerabilities - Scattered Spider + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1027 diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index af1228ccaa..daaea6c7f2 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process With Obfuscation Techniques id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4 -version: 12 -date: '2025-05-02' +version: 13 +date: '2025-09-16' author: David Dorsey, Splunk status: production type: TTP @@ -65,6 +65,7 @@ tags: - Malicious PowerShell - Hermetic Wiper - Data Destruction + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 243bae6181..40cb43e4bd 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 19 -date: '2025-08-22' +version: 20 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Hunting @@ -83,6 +83,7 @@ tags: - Scattered Spider - Interlock Ransomware - 0bj3ctivity Stealer + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 75043260ec..abce56d31c 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 12 -date: '2025-08-22' +version: 13 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -64,6 +64,7 @@ tags: - IcedID - XWorm - 0bj3ctivity Stealer + - GhostRedirector IIS Module and Rungan Backdoor mitre_attack_id: - T1027 - T1059.001 diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 672893ec2c..bfe675e3c2 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -1,7 +1,7 @@ name: Short Lived Windows Accounts id: b25f6f62-0782-43c1-b403-083231ffd97d -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-16' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP @@ -62,6 +62,7 @@ rba: tags: analytic_story: - Active Directory Lateral Movement + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Windows mitre_attack_id: - T1078.003 diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index 22c426f43c..230142e26a 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -1,7 +1,7 @@ name: Suspicious Curl Network Connection id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-16' author: Michael Haag, Splunk status: experimental type: TTP @@ -53,6 +53,7 @@ tags: - Silver Sparrow - Ingress Tool Transfer - Linux Living Off The Land + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index 844389b65c..7d9c64d04e 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -1,7 +1,7 @@ name: Suspicious Process Executed From Container File id: d8120352-3b62-411c-8cb6-7b47584dd5e8 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Steven Dick status: production type: TTP @@ -74,6 +74,7 @@ rba: type: file_name tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Unusual Processes - Amadey - Remcos diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 94f9f63944..b05d9e35a0 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -1,7 +1,7 @@ name: W3WP Spawning Shell id: 0f03423c-7c6a-11eb-bc47-acde48001122 -version: 9 -date: '2025-07-20' +version: 10 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -79,6 +79,7 @@ tags: - WS FTP Server Critical Vulnerabilities - PHP-CGI RCE Attack on Japanese Organizations - Microsoft SharePoint Vulnerabilities + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint cve: - CVE-2021-34473 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 62ee251495..18abb11365 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 15 -date: '2025-08-20' +version: 16 +date: '2025-09-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -70,6 +70,7 @@ tags: - ValleyRAT - Brute Ratel C4 - PathWiper + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1134.002 diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index ae723e17bc..4dd2683c5f 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -1,7 +1,7 @@ name: Windows Create Local Account id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ tags: analytic_story: - Active Directory Password Spraying - CISA AA24-241A + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1136.001 diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 701ffca78e..e021ff5d5d 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,7 +1,7 @@ name: Windows Create Local Administrator Account Via Net id: 2c568c34-bb57-4b43-9d75-19c605b98e70 -version: 5 -date: '2025-05-02' +version: 6 +date: '2025-09-16' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -79,6 +79,7 @@ tags: - CISA AA24-241A - Azorult - DarkGate Malware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1136.001 diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index 97afbe592b..c0609abacd 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,7 +1,7 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: 15 -date: '2025-09-09' +version: 16 +date: '2025-09-16' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: TTP @@ -93,6 +93,7 @@ rba: type: process_name tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Black Basta Ransomware - China-Nexus Threat Activity - Forest Blizzard diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 2855b926ec..755674d0a7 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows File Download Via PowerShell id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de -version: 2 -date: '2025-09-09' +version: 3 +date: '2025-09-16' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -90,6 +90,7 @@ rba: type: process_name tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Winter Vivern - Phemedrone Stealer - Malicious PowerShell diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 1c14946754..f4eda1f6fd 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,7 +1,7 @@ name: Windows HTTP Network Communication From MSIExec id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 -version: 6 -date: '2025-06-30' +version: 7 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Anomaly @@ -81,6 +81,7 @@ rba: type: process_name tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index ec0789649e..7a15afbea1 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Anomaly @@ -78,6 +78,7 @@ rba: tags: analytic_story: - IIS Components + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1505.004 diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 2d8ef9e9fa..1111113e3b 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Get-WebGlobalModule Module Query id: 20db5f70-34b4-4e83-8926-fa26119de173 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Hunting @@ -32,6 +32,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004 tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - IIS Components - WS FTP Server Critical Vulnerabilities asset_type: Endpoint diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index 6be57c1552..362b4342f8 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -1,7 +1,7 @@ name: Windows IIS Components New Module Added id: 55f22929-cfd3-4388-ba5c-4d01fac7ee7e -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -54,6 +54,7 @@ rba: tags: analytic_story: - IIS Components + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1505.004 diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 8b125a304b..064c940929 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Restricted Admin id: cee573a0-7587-48e6-ae99-10e8c657e89a -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -61,6 +61,7 @@ rba: threat_objects: [] tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - Medusa Ransomware - CISA AA23-347A asset_type: Endpoint diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index f8023fbcdd..2b7ed23330 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -1,7 +1,7 @@ name: Windows Obfuscated Files or Information via RAR SFX id: 4ab6862b-ce88-4223-96c0-f6da2cffb898 -version: 4 -date: '2025-05-02' +version: 5 +date: '2025-09-16' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 @@ -53,6 +53,7 @@ rba: tags: analytic_story: - Crypto Stealer + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1027.013 diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index 58fe02000e..4eb08ec13a 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -1,7 +1,7 @@ name: Windows PowerShell IIS Components WebGlobalModule Usage id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57 -version: 8 -date: '2025-06-24' +version: 9 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Anomaly @@ -62,6 +62,7 @@ rba: threat_objects: [] tags: analytic_story: + - GhostRedirector IIS Module and Rungan Backdoor - IIS Components asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml b/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml index 14cc721a8c..73867f8ac9 100644 --- a/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml +++ b/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Invoke-Sqlcmd Execution id: 5eb76fe2-a869-4865-8c4c-8cff424b18a1 -version: 2 -date: '2025-05-02' +version: 3 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Hunting @@ -113,6 +113,7 @@ references: tags: analytic_story: - SQL Server Abuse + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 7b91acbef6..9496bc35f2 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Steven Dick status: production type: TTP @@ -86,6 +86,7 @@ tags: analytic_story: - Windows Privilege Escalation - BlackSuit Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1068 diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index 8c58815535..9438a944e2 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation User Process Spawn System Process id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Steven Dick status: production type: TTP @@ -77,6 +77,7 @@ tags: - Windows Privilege Escalation - Compromised Windows Host - BlackSuit Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1068 diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index d2597749ce..333d9b4c35 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: '4' -date: '2025-05-06' +version: '5' +date: '2025-09-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -71,6 +71,7 @@ tags: - XWorm - Salt Typhoon - China-Nexus Threat Activity + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1036.005 diff --git a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml index 6f51942c15..98b88bca4c 100644 --- a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml +++ b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml @@ -1,7 +1,7 @@ name: Windows SQL Server xp_cmdshell Config Change id: 5eb76fe2-a869-4865-8c4c-8cff424b18b1 -version: 5 -date: '2025-08-27' +version: 6 +date: '2025-09-16' author: Michael Haag, Splunk, sidoyle from Splunk Community status: production type: TTP @@ -65,6 +65,7 @@ tags: analytic_story: - SQL Server Abuse - Seashell Blizzard + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Windows mitre_attack_id: - T1505.001 diff --git a/detections/endpoint/windows_sqlcmd_execution.yml b/detections/endpoint/windows_sqlcmd_execution.yml index cdedfee354..82b37fceb0 100644 --- a/detections/endpoint/windows_sqlcmd_execution.yml +++ b/detections/endpoint/windows_sqlcmd_execution.yml @@ -1,7 +1,7 @@ name: Windows SQLCMD Execution id: 4e7c2f85-8f02-4bd2-a48b-5ec98a2c5f72 -version: 2 -date: '2025-05-02' +version: 3 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: Hunting @@ -180,6 +180,7 @@ references: tags: analytic_story: - SQL Server Abuse + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1059.003 diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index 5aa826075f..b6e39ecdb5 100644 --- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Child Process Spawned From WebServer id: 2d4470ef-7158-4b47-b68b-1f7f16382156 -version: 5 -date: '2025-07-20' +version: 6 +date: '2025-09-16' author: Steven Dick status: production type: TTP @@ -91,6 +91,7 @@ tags: - Compromised Windows Host - Citrix ShareFile RCE CVE-2023-24489 - Microsoft SharePoint Vulnerabilities + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1505.003 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 75ca85c3bd..6ae613e767 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 15 -date: '2025-07-28' +version: 16 +date: '2025-09-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -122,6 +122,7 @@ tags: - Interlock Ransomware - Interlock Rat - NailaoLocker Ransomware + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index 585f387d40..39a1ad6a3d 100644 --- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -1,7 +1,7 @@ name: Ivanti EPM SQL Injection Remote Code Execution id: e20564ca-c86c-4e30-acdb-a8486673426f -version: 4 -date: '2025-05-02' +version: 5 +date: '2025-09-16' author: Michael Haag type: TTP status: production @@ -66,6 +66,7 @@ rba: tags: analytic_story: - Ivanti EPM Vulnerabilities + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Web Server mitre_attack_id: - T1190 diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index 3c061bc222..b96974a782 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -1,7 +1,7 @@ name: SQL Injection with Long URLs id: e0aad4cf-0790-423b-8328-7564d0d938f9 -version: 7 -date: '2025-05-02' +version: 8 +date: '2025-09-16' author: Bhavin Patel, Splunk status: experimental type: TTP @@ -46,6 +46,7 @@ rba: tags: analytic_story: - SQL Injection + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Database Server mitre_attack_id: - T1190 diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index a065bcc2f4..61505d7d67 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -1,7 +1,7 @@ name: Supernova Webshell id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-16' author: John Stoner, Splunk status: experimental type: TTP @@ -42,6 +42,7 @@ tags: analytic_story: - NOBELIUM Group - Earth Alux + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Web Server mitre_attack_id: - T1505.003 diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index 11c5f6bd93..6ca1c0d3fd 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -1,7 +1,7 @@ name: Web Remote ShellServlet Access id: c2a332c3-24a2-4e24-9455-0e80332e6746 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-09-16' author: Michael Haag, Splunk status: production type: TTP @@ -54,6 +54,7 @@ rba: tags: analytic_story: - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server + - GhostRedirector IIS Module and Rungan Backdoor asset_type: Web Server atomic_guid: [] mitre_attack_id: diff --git a/stories/ghostredirector_iis_module_and_rungan_backdoor.yml b/stories/ghostredirector_iis_module_and_rungan_backdoor.yml new file mode 100644 index 0000000000..d392e86bfd --- /dev/null +++ b/stories/ghostredirector_iis_module_and_rungan_backdoor.yml @@ -0,0 +1,40 @@ +name: GhostRedirector IIS Module and Rungan Backdoor +id: 69005a1d-05fa-4511-be91-aa260641ee10 +version: 1 +status: production +date: '2025-09-18' +author: Michael Haag, Splunk +description: | + This story tracks GhostRedirector, a China‑aligned threat actor that compromises + Windows servers and abuses IIS to deliver SEO fraud alongside a passive C++ + backdoor. The actor leverages web application flaws, most notably SQL injection, + to execute PowerShell via sqlserver.exe and retrieve tooling from a shared + staging infrastructure. Persistence and server‑side manipulation are achieved by + installing a native IIS module, while command execution and basic backdoor + capabilities are provided by the Rungan implant. Tooling, including privilege + escalation components, is frequently staged in ProgramData paths and may be + obfuscated or signed to evade controls. +narrative: | + Following initial access through exploitation of public‑facing applications, + GhostRedirector issues PowerShell and CertUtil downloads from 868id[.]com to + place binaries under C:\\ProgramData\\Microsoft\\DRM\\log. A malicious native IIS + module (Gamshen) is registered so that w3wp.exe can selectively manipulate + responses for search engine crawlers, enabling SEO fraud. In parallel, the group + deploys the Rungan backdoor to execute commands over HTTP. Privilege escalation + relies on public "Potato" techniques (for example EfsPotato and BadPotato) to + create or modify local administrator accounts as fallback access. Observed tradecraft + includes obfuscation with .NET Reactor, AES‑based string decryption, and occasional + use of code‑signed binaries. The combined behaviors present multiple detection + opportunities across IIS module installation and loading, webserver‑spawned + shells, SQL Server xp_cmdshell abuse, privileged account creation, and unusual + file staging or download activity in ProgramData. +references: +- https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/ +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file