diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 4f70755ecb..8bd3c6f357 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -1,33 +1,34 @@ name: Windows File Without Extension In Critical Folder id: 0dbcac64-963c-11ec-bf04-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-12-19' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: TTP -description: The following analytic detects the creation of files without extensions - in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem - datamodel, focusing on file paths and creation times. This activity is significant - as it may indicate the presence of destructive malware, such as HermeticWiper, which - drops driver components in these directories. If confirmed malicious, this behavior - could lead to severe system compromise, including boot sector wiping, resulting - in potential data loss and system inoperability. +description: This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\Drivers, Windows\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories—particularly involving extensionless files—is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem - where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") +search: | + | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem + where Filesystem.file_path IN("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*", "*\\WINDOWS\\inf\\*","*\\Program Files*", "*\\WINDOWS\\System32\\DriverStore\\*","*:\\Windows\\WinSxS\\*","*\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*","*\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*","*\\Windows\\servicing\\*", "*\\Windows\\ELAMBKUP\\*","*\\Windows\\Boot\\*","*\\System32\\Boot\\*","*\\System32\\Recovery\\*", "C:\\AMD\\*", "C:\\OEM\\*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id - Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | - rex field="file_name" "\.(?[^\.]*$)" | where isnull(extension) | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`' + Filesystem.user Filesystem.vendor_product + | `drop_dm_object_name(Filesystem)` + | rex field="file_name" "\.(?[^\.]*$)" + | where isnull(extension) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_file_without_extension_in_critical_folder_filter` how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives: Unknown at this point references: - https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html +- https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html +- https://learn.microsoft.com/en-us/answers/questions/2184241/where-does-windows-installation-search-for-drivers drilldown_searches: - name: View the detection results for - "$user$" search: '%original_detection_search% | search user = "$user$"' @@ -48,7 +49,9 @@ rba: - field: user type: user score: 90 - threat_objects: [] + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - Data Destruction diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index f406ba9596..c19c7a0a3d 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -1,8 +1,8 @@ name: Windows Service Create Kernel Mode Driver id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb -version: 7 -date: '2025-05-02' -author: Michael Haag, Splunk +version: 8 +date: '2025-12-19' +author: Michael Haag, Teoderick Contreras Splunk status: production type: TTP description: The following analytic identifies the creation of a new kernel mode driver @@ -17,15 +17,19 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe - Processes.process="*kernel*" by Processes.action Processes.dest Processes.original_file_name +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) Processes.process IN ("*kernel*", "*filesys*") Processes.process="*type*" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_kernel_mode_driver_filter`' + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_service_create_kernel_mode_driver_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -39,6 +43,8 @@ known_false_positives: False positives may be present based on common applicatio adding new drivers, however, filter as needed. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +- https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/ +- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-config drilldown_searches: - name: View the detection results for - "$user$" and "$dest$" search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' diff --git a/detections/endpoint/windows_suspicious_driver_loaded_path.yml b/detections/endpoint/windows_suspicious_driver_loaded_path.yml index afccde3e2a..2faaec0f34 100644 --- a/detections/endpoint/windows_suspicious_driver_loaded_path.yml +++ b/detections/endpoint/windows_suspicious_driver_loaded_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Driver Loaded Path id: 2ca1c4a1-8342-4750-9363-905650e0c933 -version: 5 -date: '2025-09-18' +version: 6 +date: '2025-12-19' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,12 +15,13 @@ description: The following analytic detects the loading of drivers from leading to privilege escalation, persistence, or further system compromise. data_source: - Sysmon EventID 6 -search: '`sysmon` EventCode=6 ImageLoaded = "*.sys" NOT (ImageLoaded IN("*\\WINDOWS\\inf","*\\WINDOWS\\System32\\drivers\\*", - "*\\WINDOWS\\System32\\DriverStore\\FileRepository\\*","*:\Windows\\WinSxS\\*","*\\ProgramData\\Microsoft\\Windows - Defender\\Definition Updates\\*")) | stats min(_time) as firstTime max(_time) - as lastTime count by ImageLoaded dest dvc process_hash process_path signature signature_id - user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_suspicious_driver_loaded_path_filter`' +search: '`sysmon` EventCode=6 + ImageLoaded IN("*\\windows\\fonts\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", + "*Recycle.bin*", "*\\Windows\\Media\\*","\\Windows\\repair\\*", "*\\PerfLogs\\*", "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*\\temp\\*", "*\\download*", "*\\appdata\\*") + | stats min(_time) as firstTime max(_time) as lastTime count by ImageLoaded dest dvc process_hash process_path signature signature_id user_id vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_suspicious_driver_loaded_path_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -29,6 +30,7 @@ known_false_positives: Limited false positives will be present. Some references: - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/ - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ +- https://whiteknightlabs.com/2025/11/25/discreet-driver-loading-in-windows/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"'