diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 62f12ec6ff..62c3870bdb 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 17 -date: '2026-02-25' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -59,6 +59,7 @@ tags: - Log4Shell CVE-2021-44228 - Interlock Rat - 0bj3ctivity Stealer + - Gh0st RAT asset_type: Endpoint cve: - CVE-2021-44228 diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index ecf4473bc7..0d5f6fb0f7 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,43 +1,61 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 version: 14 -date: '2026-03-16' +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: 'The following analytic identifies the execution of ping sleep batch commands. - - It leverages data from Endpoint Detection and Response (EDR) agents, focusing on - - process and parent process command-line details. This activity is significant as - - it indicates an attempt to delay malicious code execution, potentially evading detection - - or sandbox analysis. If confirmed malicious, this technique allows attackers to - - bypass security measures, making it harder to detect and analyze their activities, - - thereby increasing the risk of prolonged unauthorized access and potential data - - exfiltration. - -' +description: |- + The following analytic identifies the execution of ping sleep batch commands. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. + This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis. + If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration. data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE ( - Processes.parent_process= "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*" Processes.parent_process IN ("*>*", "*>*") Processes.parent_process IN ("*&*", "*& *") + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + ( + Processes.parent_process= "*ping*" + Processes.parent_process = *-n* + Processes.parent_process IN ( + "*& *", + "*&*", + "*&C:*", + "*>*", + "*>*" + ) + ) + OR + ( + ( + Processes.process_name= "ping.exe" + OR + Processes.original_file_name= "ping.exe" ) - OR ( Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*" Processes.process IN ("*>*", "*>*") Processes.process IN ("*&*", "*& *") ) - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + Processes.process = *-n* + Processes.process IN ( + "*& *", + "*&*", + "*&C:*", + "*>*", + "*>*" + ) + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -74,6 +92,7 @@ tags: - WhisperGate - BlackByte Ransomware - Void Manticore + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index b7678a75a1..5750fcfa32 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 29 -date: '2026-03-10' +version: 30 +date: '2026-03-26' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -77,6 +77,7 @@ tags: - ValleyRAT - Castle RAT - MuddyWater + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 1a67b0663d..f88a887276 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -1,7 +1,7 @@ name: Rundll32 Process Creating Exe Dll Files id: 6338266a-ee2a-11eb-bf68-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -43,6 +43,7 @@ tags: analytic_story: - IcedID - Living Off The Land + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1218.011 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 000913ae38..7b181bce6d 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 19 -date: '2026-03-10' +version: 20 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ tags: - Lokibot - Scattered Lapsus$ Hunters - Tuoni + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1134.002 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index d6d6840091..5c053df49d 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ tags: - Tuoni - SolarWinds WHD RCE Post Exploitation - BlankGrabber Stealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml index 6ef3ba860c..1fb234ed19 100644 --- a/detections/endpoint/windows_hosts_file_access.yml +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -1,7 +1,7 @@ name: Windows Hosts File Access id: b34bcf35-5380-4b00-b208-5531303fb751 -version: 1 -date: '2026-03-03' +version: 2 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,6 +60,7 @@ rba: tags: analytic_story: - BlankGrabber Stealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index a0f0c1f1bb..1c50207704 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -33,6 +33,7 @@ references: tags: analytic_story: - LAMEHUG + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1007 diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 79ce310dd0..2c4895236b 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,6 +51,7 @@ tags: - PromptLock - Lokibot - SesameOp + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml new file mode 100644 index 0000000000..dceaedc702 --- /dev/null +++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml @@ -0,0 +1,79 @@ +name: Windows Routing and Remote Access Service Registry Key Change +id: a93df51e-e612-40b7-a105-33e288160575 +version: 1 +date: '2026-03-24' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: |- + This analytic identifies the modification of the Windows RemoteAccess Registry Entry. + This technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded. + This technique was also observed to be used by Gh0st RAT malware. + Upon seeing this behavior, it is recommended to review the system services events especially the remote access services. +data_source: + - Sysmon EventID 13 +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Registry WHERE + + Registry.registry_path="*\\Services\\RemoteAccess\\RouterManagers\\Ip*" + Registry.action=modified + + by Registry.action Registry.dest Registry.process_guid + Registry.process_id Registry.registry_hive + Registry.registry_path Registry.registry_key_name + Registry.registry_value_data Registry.registry_value_name + Registry.registry_value_type Registry.status + Registry.user Registry.vendor_product + + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_routing_and_remote_access_service_registry_key_change_filter` +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: | + There are legitimate reasons for changing this registry key/value. + Investigate the change and its source and apply appropriate filters as needed. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 + - https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf + - https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Routing and Remote Access Service registry key [$registry_path$] was modified with the value [$registry_value_data$] by [$user$] on [$dest$]. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: registry_path + type: registry_path +tags: + analytic_story: + - Gh0st RAT + asset_type: Endpoint + mitre_attack_id: + - T1112 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml new file mode 100644 index 0000000000..9c006d063c --- /dev/null +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -0,0 +1,146 @@ +name: Windows Rundll32 with Non-Standard File Extension +id: f52b55ce-41ad-4802-9909-fbd7cc8410a5 +version: 1 +date: '2026-03-27' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: |- + This analytic identifies the instance of rundll32.exe process loading a non-standard Windows modules file extension. + This behavior is not common and can be associated with malicious activities, such as the Gh0st RAT backdoor. This technique is to evade possible detection by security tools that monitors a suspicious dll loading activity. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + `process_rundll32` + ( + Processes.parent_process_path IN ( + "*:\\PerfLogs\\*", + "*:\\ProgramData\\*", + "*:\\Recycle.bin\\*", + "*:\\Users\\Administrator\\Music\\*", + "*:\\Users\\Public\\*", + "*:\\Windows\\Cursors\\*", + "*:\\Windows\\debug\\*", + "*:\\Windows\\fonts\\*", + "*:\\Windows\\INF\\*", + "*:\\Windows\\Media\\*", + "*:\\Windows\\Prefetch\\*", + "*:\\Windows\\repair\\*", + "*:\\Windows\\Tasks\\*", + "*\\Temp\\*" + ) + OR + Processes.parent_process_name IN ( + "*cmd.exe*", + "*cscript.exe*", + "*mshta.exe*", + "*powershell.exe*", + "*pwsh.exe*", + "*regsvr32.exe*", + "*wscript.exe*" + ) + ) + NOT Processes.process IN ( + "*.cpl*", + "*.dll*", + "*.drv*", + "*.inf*", + "*.mui*", + "*.ocx*" + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_path + Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level + Processes.process_path Processes.user Processes.user_id + Processes.vendor_product Processes.parent_process_name + Processes.parent_process Processes.process_name Processes.process + + | `drop_dm_object_name(Processes)` + + | rex field=process "^(?[^\s]+)\s+\"?(?[^,^\"^\s]+).*?,(?.*)$" + + | rex field=cmd_base_first_param "^(?[^\\\\]+)\\\\(?[^\\\\]+)" + + | eval folder_count = mvcount(split(cmd_base_first_param, "\\")) + + | where ( + folder_count = 3 + AND + NOT lower(subdirs) IN ( + "windows", + "program files", + "program files (x86)" + ) + ) + OR + like(cmd_base_first_param, "%:\\ProgramData\\%") + OR + like(cmd_base_first_param, "%:\\Users\\Public\\%") + OR + like(cmd_base_first_param, "%\\AppData\\Local\\Temp\\%") + OR + like(cmd_base_first_param, "%\\AppData\\Roaming\\%") + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_rundll32_with_non_standard_file_extension_filter` +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: |- + Certain legitimate Windows components, third-party applications, or administrative scripts may use rundll32.exe with non-standard or extensionless inputs during normal operation. + Filtering and contextual analysis are required, focus on command-line arguments, parent process, file location, and prevalence across the environment before determining malicious intent. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 + - https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf + - https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of [$parent_process_path] launched [$process_name$] loading a non-standard DLL extension [$process$] in host [$dest$] + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process + type: process +tags: + analytic_story: + - Living Off The Land + - Suspicious Rundll32 Activity + - Gh0st RAT + asset_type: Endpoint + mitre_attack_id: + - T1218.011 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 7471a8c400..4f5f7cb668 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,6 +1,6 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 9 +version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 32cb9cf58f..900b25ab59 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Name id: 35eb6d19-a497-400c-93c5-645562804b11 -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-26' author: Steven Dick status: production type: Anomaly @@ -60,6 +60,7 @@ tags: - Qakbot - Snake Malware - Tuoni + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1569.002 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 11c5b32df7..023a631983 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 17 -date: '2026-03-10' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP @@ -47,6 +47,7 @@ tags: - Crypto Stealer - Brute Ratel C4 - APT37 Rustonotto and FadeStealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1569.002 diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index c0603d5527..524a44871e 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 17 -date: '2026-03-10' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -44,6 +44,7 @@ tags: - Suspicious Windows Registry Activities - Crypto Stealer - Brute Ratel C4 + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1574.011 diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml index 926efc77f1..d2e06921e1 100644 --- a/detections/endpoint/windows_service_stop_attempt.yml +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -1,7 +1,7 @@ name: Windows Service Stop Attempt id: dd0f07ea-f08f-4d88-96e5-cb58156e82b6 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -47,6 +47,7 @@ tags: - Prestige Ransomware - Graceful Wipe Out Attack - Scattered Lapsus$ Hunters + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1489 diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index f19f239cd1..d86f86a7ac 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,31 +1,58 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-30' author: Teoderick Contreras, Splunk status: production type: TTP data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 -description: The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "ping 0 -n". This behavior is significant as it is commonly used by malware like NJRAT to introduce time delays for evasion tactics, such as delaying self-deletion. If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment. +description: |- + The following analytic detects potentially malicious processes that initiate a ping delay using an invalid IP address. + It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "ping 0 -n". + Malware like NJRAT was observed using this technique to introduce time delays for evasion tactics, such as delaying self-deletion. + If confirmed malicious, this activity could indicate an active infection attempting to evade detection, potentially leading to further compromise and persistence within the environment. search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.process_name = "ping.exe" Processes.parent_process = "* ping 0 -n *" + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + Processes.process_name = "ping.exe" + ( + Processes.parent_process IN ( + "*ping 0 -n *", + "*ping 0 -n *", + "*ping.exe 0 -n *", + "*ping.exe 0 -n *" + ) OR - Processes.process = "* ping 0 -n *" - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + Processes.process IN ( + "*ping 0 -n *", + "*ping 0 -n *", + "*ping.exe 0 -n *", + "*ping.exe 0 -n *" + ) + ) + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_time_based_evasion_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: No false positives have been identified at this time. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat diff --git a/stories/gh0st_rat.yml b/stories/gh0st_rat.yml new file mode 100644 index 0000000000..5c86cff15d --- /dev/null +++ b/stories/gh0st_rat.yml @@ -0,0 +1,39 @@ +name: Gh0st RAT +id: 5810ebaa-e4a6-4650-9f62-ac96f94bcdee +version: 1 +date: '2026-03-24' +author: Teoderick Contreras, Splunk +status: production +description: |- + Gh0st RAT is a long-running Windows remote access trojan family known for full interactive control, surveillance, and data theft. + + Variants implement a custom binary wire protocol over TCP (often high ports), peer-to-peer relaying, and modular features such as keylogging, screen and camera capture, audio recording, file management, and remote shell. + + Operators frequently achieve persistence via Run keys, services, or scheduled tasks, and may load capability through side-loaded DLLs or abused LOLBins. + + Because Gh0st tooling is widely shared and re-branded, detections should emphasize behavioral chains including ingress staging, non-standard process ancestry, unusual outbound sessions, and registry or service changes associated with remote access—rather than brittle file hashes alone. +narrative: |- + Gh0st samples typically establish a foothold through spear-phishing, drive-by downloads, or supply-chain delivery, then unpack a loader or injector that decrypts the core implant in memory. + + The implant beacons to attacker-controlled infrastructure using its proprietary framing; some builds add encryption, compression, or domain generation to resist network inspection. + + On the endpoint, the malware often registers autostart mechanisms under standard persistence locations, may masquerade as legitimate software or use stolen certificates, and sometimes stages payloads under user-writable or public directories before execution. + + Operational use spans credential harvesting, lateral movement as a foothold for follow-on tools, and long-term espionage. + + Effective coverage combines host telemetry (process creation, module loads, WMI or service creation, and authentication events for remote access features) with firewall and proxy logs highlighting repeated connections to uncommon ports, symmetric upload/download ratios on non-web protocols, and TLS anomalies where HTTPS wrappers are used. + Correlating registry edits that enable remote access or weaken authentication with subsequent interactive sessions helps distinguish Gh0st-style remote control from benign administrative activity. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 + - https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf + - https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ + - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection