renamed_earth_erties

Author: t-contreras

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,7 +1,7 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: '12'
-date: '2025-02-24'
+version: '13'
+date: '2025-03-19'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -71,18 +71,18 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - Ingress Tool Transfer
+  - Data Destruction
+  - Malicious PowerShell
   - China-Nexus Threat Activity
-  - Crypto Stealer
   - Hermetic Wiper
   - DarkCrystal RAT
-  - Malicious PowerShell
-  - Earth Estries
   - Phemedrone Stealer
-  - Braodo Stealer
   - PXA Stealer
-  - Data Destruction
   - Log4Shell CVE-2021-44228
+  - Salt Typhoon
+  - Braodo Stealer
+  - Crypto Stealer
+  - Ingress Tool Transfer
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/detect_rare_executables.yml

@@ -1,7 +1,7 @@
 name: Detect Rare Executables
 id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac
-version: '8'
-date: '2025-02-07'
+version: '9'
+date: '2025-03-19'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -58,12 +58,12 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
+  - China-Nexus Threat Activity
+  - Unusual Processes
   - SnappyBee
+  - Salt Typhoon
   - Rhysida Ransomware
-  - China-Nexus Threat Activity
   - Crypto Stealer
-  - Earth Estries
-  - Unusual Processes
   asset_type: Endpoint
   mitre_attack_id:
   - T1204

detections/endpoint/detect_renamed_psexec.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: '12'
-date: '2025-02-24'
+version: '13'
+date: '2025-03-19'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
 type: Hunting
@@ -39,18 +39,18 @@ references:
 - https://redcanary.com/blog/threat-hunting-psexec-lateral-movement/
 tags:
   analytic_story:
-  - China-Nexus Threat Activity
+  - Sandworm Tools
+  - SamSam Ransomware
   - BlackByte Ransomware
-  - HAFNIUM Group
-  - DHS Report TA18-074A
   - CISA AA22-320A
-  - DarkSide Ransomware
-  - Active Directory Lateral Movement
+  - China-Nexus Threat Activity
+  - Salt Typhoon
   - DarkGate Malware
-  - Sandworm Tools
+  - Active Directory Lateral Movement
+  - HAFNIUM Group
+  - DarkSide Ransomware
   - Rhysida Ransomware
-  - Earth Estries
-  - SamSam Ransomware
+  - DHS Report TA18-074A
   asset_type: Endpoint
   mitre_attack_id:
   - T1569.002

detections/endpoint/detect_renamed_winrar.yml

@@ -1,7 +1,7 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: '10'
-date: '2025-02-24'
+version: '11'
+date: '2025-03-19'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -39,9 +39,9 @@ references:
 tags:
   analytic_story:
   - China-Nexus Threat Activity
-  - CISA AA22-277A
   - Collection and Staging
-  - Earth Estries
+  - CISA AA22-277A
+  - Salt Typhoon
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: '12'
-date: '2025-02-28'
+version: '13'
+date: '2025-03-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -15,14 +15,15 @@ description: The following analytic identifies the creation of executables or sc
   a significant security threat.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
-  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
-  AND Filesystem.file_path IN ("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
+  file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\windows\\fonts\\*",
+  "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
+  "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",
   "*\\Windows\\repair\\*", "*\\PerfLogs\\*") AND NOT(Filesystem.file_path IN("*\\temp\\*"))
   by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
-  | `drop_dm_object_name(Filesystem)` 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)`
+  | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `executables_or_script_creation_in_suspicious_path_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
@@ -60,48 +61,48 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - BlackByte Ransomware
-  - Brute Ratel C4
-  - Trickbot
+  - SystemBC
   - Snake Keylogger
-  - Graceful Wipe Out Attack
-  - PlugX
-  - Handala Wiper
-  - Earth Estries
-  - Warzone RAT
-  - ValleyRAT
-  - NjRAT
+  - China-Nexus Threat Activity
+  - Remcos
   - LockBit Ransomware
-  - Double Zero Destructor
-  - Swift Slicer
-  - DarkCrystal RAT
   - AsyncRAT
-  - Volt Typhoon
-  - Chaos Ransomware
-  - Hermetic Wiper
+  - DarkCrystal RAT
   - Derusbi
-  - XMRig
-  - AgentTesla
   - WinDealer RAT
-  - RedLine Stealer
-  - Remcos
-  - Rhysida Ransomware
-  - China-Nexus Threat Activity
+  - DarkGate Malware
   - Crypto Stealer
+  - ValleyRAT
+  - AcidPour
+  - PlugX
+  - Data Destruction
   - Qakbot
-  - IcedID
+  - CISA AA23-347A
+  - Hermetic Wiper
+  - Volt Typhoon
+  - Double Zero Destructor
+  - NjRAT
+  - Trickbot
+  - AgentTesla
   - Meduza Stealer
-  - AcidPour
+  - SnappyBee
+  - Azorult
+  - WhisperGate
+  - Warzone RAT
+  - Swift Slicer
+  - Rhysida Ransomware
+  - Brute Ratel C4
+  - BlackByte Ransomware
+  - Graceful Wipe Out Attack
+  - Chaos Ransomware
+  - Handala Wiper
+  - RedLine Stealer
+  - Salt Typhoon
+  - XMRig
   - MoonPeak
-  - CISA AA23-347A
-  - DarkGate Malware
   - Industroyer2
-  - Azorult
-  - Data Destruction
   - Amadey
-  - SnappyBee
-  - WhisperGate
-  - SystemBC
+  - IcedID
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 11
-date: '2025-02-11'
+version: '12'
+date: '2025-03-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -15,14 +15,13 @@ description: The following analytic identifies the creation of executables or sc
   a significant security threat.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
-  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") 
-  AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*")
-  by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user
-  | `drop_dm_object_name(Filesystem)` 
-  | `security_content_ctime(firstTime)` 
-  | `security_content_ctime(lastTime)`
-  | `executables_or_script_creation_in_temp_path_filter`'
+search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
+  file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*",
+  "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.file_create_time Filesystem.process_id
+  Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the Filesystem responsible for the changes from
   your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
@@ -48,8 +47,8 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potentially suspicious executable or script with file name $file_name$, $file_path$
-    and process_id $process_id$ was created in temporary folder by $user$
+  message: Potentially suspicious executable or script with file name $file_name$,
+    $file_path$ and process_id $process_id$ was created in temporary folder by $user$
   risk_objects:
   - field: user
     type: user
@@ -59,47 +58,47 @@ rba:
     type: file_name
 tags:
   analytic_story:
-  - Chaos Ransomware
-  - Trickbot
   - Snake Keylogger
-  - CISA AA23-347A
-  - Industroyer2
-  - WinDealer RAT
-  - Qakbot
-  - Warzone RAT
-  - IcedID
-  - ValleyRAT
-  - Azorult
-  - Handala Wiper
+  - China-Nexus Threat Activity
+  - Remcos
   - LockBit Ransomware
-  - Meduza Stealer
-  - Brute Ratel C4
   - AsyncRAT
-  - AcidPour
+  - DarkCrystal RAT
   - Derusbi
+  - WinDealer RAT
   - DarkGate Malware
-  - Graceful Wipe Out Attack
-  - NjRAT
-  - WhisperGate
-  - Data Destruction
-  - BlackByte Ransomware
-  - AgentTesla
-  - Swift Slicer
+  - AcidPour
+  - ValleyRAT
   - Crypto Stealer
+  - PlugX
+  - Data Destruction
+  - Qakbot
+  - CISA AA23-347A
   - Hermetic Wiper
-  - MoonPeak
+  - Volt Typhoon
   - Double Zero Destructor
-  - XMRig
-  - PlugX
-  - Amadey
-  - DarkCrystal RAT
-  - Remcos
-  - China-Nexus Threat Activity
-  - Earth Estries
+  - NjRAT
+  - Trickbot
+  - Meduza Stealer
+  - AgentTesla
+  - SnappyBee
+  - Azorult
+  - WhisperGate
+  - Warzone RAT
+  - Swift Slicer
   - Rhysida Ransomware
+  - Brute Ratel C4
+  - BlackByte Ransomware
+  - Graceful Wipe Out Attack
+  - Chaos Ransomware
+  - Handala Wiper
   - RedLine Stealer
-  - Volt Typhoon
-  - SnappyBee
+  - Salt Typhoon
+  - XMRig
+  - MoonPeak
+  - Industroyer2
+  - Amadey
+  - IcedID
   asset_type: Endpoint
   mitre_attack_id:
   - T1036