splunk · MHaggis · Sep 18, 2025 · Sep 18, 2025
@@ -1,7 +1,7 @@
 name: BITSAdmin Download File
 id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 12
-date: '2025-07-29'
+version: 13
+date: '2025-09-16'
 author: Michael Haag, Sittikorn S
 status: production
 type: TTP
@@ -81,6 +81,7 @@ tags:
   - Flax Typhoon
   - Gozi Malware
   - Scattered Spider
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1197

@@ -1,7 +1,7 @@
 name: CertUtil With Decode Argument
 id: bfe94226-8c10-11eb-a4b3-acde48001122
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - Forest Blizzard
   - APT29 Diplomatic Deceptions with WINELOADER
   - Storm-2460 CLFS Zero Day Exploitation
+  - GhostRedirector IIS Module and Rungan Backdoor
   group:
   - APT29
   - Cozy Bear

@@ -1,7 +1,7 @@
 name: Cisco NVM - Webserver Download From File Sharing Website
 id: 1984f997-3b49-4d4b-a7e9-dc5dbf88370e
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-16'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -86,6 +86,7 @@ drilldown_searches:
     latest_offset: $info_max_time$
 tags:
   analytic_story:
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Cisco Network Visibility Module Analytics
   asset_type: Endpoint
   mitre_attack_id:

@@ -1,7 +1,7 @@
 name: Detect Exchange Web Shell
 id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-16'
 author: Michael Haag, Shannon Davis, David Dorsey, Splunk
 status: production
 type: TTP
@@ -73,6 +73,7 @@ tags:
   - Compromised Windows Host
   - BlackByte Ransomware
   - Seashell Blizzard
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1133

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 10
-date: '2025-07-29'
+version: 11
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -90,6 +90,7 @@ tags:
   - Seashell Blizzard
   - Scattered Spider
   - Interlock Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 10
-date: '2025-07-29'
+version: 11
+date: '2025-09-16'
 author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
@@ -104,6 +104,7 @@ tags:
   - Seashell Blizzard
   - Scattered Spider
   - Interlock Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 18
-date: '2025-07-28'
+version: 19
+date: '2025-09-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -114,6 +114,7 @@ tags:
   - Interlock Ransomware
   - Interlock Rat
   - NailaoLocker Ransomware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: Headless Browser Mockbin or Mocky Request
 id: 94fc85a1-e55b-4265-95e1-4b66730e05c0
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -65,6 +65,7 @@ rba:
 tags:
   analytic_story:
   - Forest Blizzard
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   atomic_guid: []
   mitre_attack_id:

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 11
-date: '2025-05-26'
+version: 12
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - Living Off The Land
   - Malicious Inno Setup Loader
   - Water Gamayun
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 16
-date: '2025-07-29'
+version: 17
+date: '2025-09-16'
 author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
 type: Hunting
@@ -62,6 +62,7 @@ tags:
   - Crypto Stealer
   - Microsoft SharePoint Vulnerabilities
   - Scattered Spider
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1027

@@ -1,7 +1,7 @@
 name: Malicious PowerShell Process With Obfuscation Techniques
 id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4
-version: 12
-date: '2025-05-02'
+version: 13
+date: '2025-09-16'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -65,6 +65,7 @@ tags:
   - Malicious PowerShell
   - Hermetic Wiper
   - Data Destruction
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 19
-date: '2025-08-22'
+version: 20
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -83,6 +83,7 @@ tags:
   - Scattered Spider
   - Interlock Ransomware
   - 0bj3ctivity Stealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 12
-date: '2025-08-22'
+version: 13
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ tags:
   - IcedID
   - XWorm
   - 0bj3ctivity Stealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   mitre_attack_id:
   - T1027
   - T1059.001

@@ -1,7 +1,7 @@
 name: Short Lived Windows Accounts
 id: b25f6f62-0782-43c1-b403-083231ffd97d
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-16'
 author: David Dorsey, Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -62,6 +62,7 @@ rba:
 tags:
   analytic_story:
   - Active Directory Lateral Movement
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Windows
   mitre_attack_id:
   - T1078.003

@@ -1,7 +1,7 @@
 name: Suspicious Curl Network Connection
 id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -53,6 +53,7 @@ tags:
   - Silver Sparrow
   - Ingress Tool Transfer
   - Linux Living Off The Land
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

@@ -1,7 +1,7 @@
 name: Suspicious Process Executed From Container File
 id: d8120352-3b62-411c-8cb6-7b47584dd5e8
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: TTP
@@ -74,6 +74,7 @@ rba:
       type: file_name
 tags:
   analytic_story:
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Unusual Processes
     - Amadey
     - Remcos

@@ -1,7 +1,7 @@
 name: W3WP Spawning Shell
 id: 0f03423c-7c6a-11eb-bc47-acde48001122
-version: 9
-date: '2025-07-20'
+version: 10
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -79,6 +79,7 @@ tags:
   - WS FTP Server Critical Vulnerabilities
   - PHP-CGI RCE Attack on Japanese Organizations
   - Microsoft SharePoint Vulnerabilities
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   cve:
   - CVE-2021-34473

@@ -1,7 +1,7 @@
 name: Windows Access Token Manipulation SeDebugPrivilege
 id: 6ece9ed0-5f92-4315-889d-48560472b188
-version: 15
-date: '2025-08-20'
+version: 16
+date: '2025-09-16'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -70,6 +70,7 @@ tags:
   - ValleyRAT
   - Brute Ratel C4
   - PathWiper
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1134.002

@@ -1,7 +1,7 @@
 name: Windows Create Local Account
 id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -55,6 +55,7 @@ tags:
   analytic_story:
   - Active Directory Password Spraying
   - CISA AA24-241A
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1136.001

@@ -1,7 +1,7 @@
 name: Windows Create Local Administrator Account Via Net
 id: 2c568c34-bb57-4b43-9d75-19c605b98e70
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-09-16'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -79,6 +79,7 @@ tags:
   - CISA AA24-241A
   - Azorult
   - DarkGate Malware
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1136.001

@@ -1,7 +1,7 @@
 name: Windows Curl Download to Suspicious Path
 id: c32f091e-30db-11ec-8738-acde48001122
-version: 15
-date: '2025-09-09'
+version: 16
+date: '2025-09-16'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -93,6 +93,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Black Basta Ransomware
     - China-Nexus Threat Activity
     - Forest Blizzard

@@ -1,7 +1,7 @@
 name: Windows File Download Via PowerShell
 id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-16'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -90,6 +90,7 @@ rba:
       type: process_name
 tags:
   analytic_story:
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Winter Vivern
     - Phemedrone Stealer
     - Malicious PowerShell