From ec50c123807566c0c43bb30631adb6aac56d6d3e Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 26 Mar 2026 12:51:43 +0100 Subject: [PATCH 01/11] gh0st --- ...cmd_carry_out_string_command_parameter.yml | 5 +- .../endpoint/ping_sleep_batch_command.yml | 21 +++-- .../registry_keys_used_for_persistence.yml | 5 +- ...undll32_process_creating_exe_dll_files.yml | 5 +- .../sc_exe_manipulating_windows_services.yml | 5 +- ...ss_token_manipulation_sedebugprivilege.yml | 5 +- ..._tool_execution_from_non_shell_process.yml | 5 +- .../endpoint/windows_hosts_file_access.yml | 5 +- .../windows_net_system_service_discovery.yml | 5 +- .../windows_process_execution_in_temp_dir.yml | 5 +- .../windows_remote_access_registry_entry.yml | 55 ++++++++++++++ ...dll32_with_non_standard_file_extension.yml | 76 +++++++++++++++++++ ...e_created_with_suspicious_service_name.yml | 5 +- ...e_created_with_suspicious_service_path.yml | 5 +- ..._service_creation_using_registry_entry.yml | 5 +- .../endpoint/windows_service_stop_attempt.yml | 5 +- stories/gh0st_rat.yml | 45 +++++++++++ 17 files changed, 228 insertions(+), 34 deletions(-) create mode 100644 detections/endpoint/windows_remote_access_registry_entry.yml create mode 100644 detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml create mode 100644 stories/gh0st_rat.yml diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index 62f12ec6ff..62c3870bdb 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 17 -date: '2026-02-25' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -59,6 +59,7 @@ tags: - Log4Shell CVE-2021-44228 - Interlock Rat - 0bj3ctivity Stealer + - Gh0st RAT asset_type: Endpoint cve: - CVE-2021-44228 diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index ecf4473bc7..9c7d414996 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,7 +1,7 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 14 -date: '2026-03-16' +version: 16 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -19,18 +19,22 @@ description: 'The following analytic identifies the execution of ping sleep batc thereby increasing the risk of prolonged unauthorized access and potential data - exfiltration. - -' + exfiltration.' data_source: - Sysmon EventID 1 - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( - Processes.parent_process= "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*" Processes.parent_process IN ("*>*", "*>*") Processes.parent_process IN ("*&*", "*& *") - ) - OR ( Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*" Processes.process IN ("*>*", "*>*") Processes.process IN ("*&*", "*& *") ) + Processes.parent_process= "*ping*" AND + Processes.parent_process = *-n* AND + (Processes.parent_process IN ("*>*", "*>*") OR Processes.parent_process IN ("*&*", "*&*")) + ) + OR ( + Processes.process = "*ping*" AND + Processes.process = *-n* AND + (Processes.process IN ("*>*", "*>*") OR Processes.process IN ("*&*", "*&*")) + ) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path @@ -74,6 +78,7 @@ tags: - WhisperGate - BlackByte Ransomware - Void Manticore + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index b7678a75a1..5750fcfa32 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 29 -date: '2026-03-10' +version: 30 +date: '2026-03-26' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -77,6 +77,7 @@ tags: - ValleyRAT - Castle RAT - MuddyWater + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 1a67b0663d..f88a887276 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -1,7 +1,7 @@ name: Rundll32 Process Creating Exe Dll Files id: 6338266a-ee2a-11eb-bf68-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: TTP @@ -43,6 +43,7 @@ tags: analytic_story: - IcedID - Living Off The Land + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1218.011 diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index ccfa9bbf9f..a1d7ce18b8 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -1,7 +1,7 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-26' author: Rico Valdez, Splunk status: production type: TTP @@ -61,6 +61,7 @@ tags: - DHS Report TA18-074A - Crypto Stealer - Scattered Spider + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1543.003 diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 000913ae38..7b181bce6d 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 19 -date: '2026-03-10' +version: 20 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ tags: - Lokibot - Scattered Lapsus$ Hunters - Tuoni + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1134.002 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index d6d6840091..5c053df49d 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 10 -date: '2026-03-10' +version: 11 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ tags: - Tuoni - SolarWinds WHD RCE Post Exploitation - BlankGrabber Stealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml index 6ef3ba860c..1fb234ed19 100644 --- a/detections/endpoint/windows_hosts_file_access.yml +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -1,7 +1,7 @@ name: Windows Hosts File Access id: b34bcf35-5380-4b00-b208-5531303fb751 -version: 1 -date: '2026-03-03' +version: 2 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,6 +60,7 @@ rba: tags: analytic_story: - BlankGrabber Stealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index abcf3ce391..0a00f93118 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -1,7 +1,7 @@ name: Windows Net System Service Discovery id: dd7da098-83b8-4c48-b09d-e51aeb621e81 -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -56,6 +56,7 @@ rba: tags: analytic_story: - LAMEHUG + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1007 diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 79ce310dd0..2c4895236b 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,6 +51,7 @@ tags: - PromptLock - Lokibot - SesameOp + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_remote_access_registry_entry.yml b/detections/endpoint/windows_remote_access_registry_entry.yml new file mode 100644 index 0000000000..730a2a931f --- /dev/null +++ b/detections/endpoint/windows_remote_access_registry_entry.yml @@ -0,0 +1,55 @@ +name: Windows Remote Access Registry Entry +id: a93df51e-e612-40b7-a105-33e288160575 +version: 1 +date: '2026-03-24' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This analytic identifies the modification of the Windows RemoteAccess Registry Entry. This technique can be used by malware author, adversaries, threat actors and red teamers to gain persistence on the system. This technique was commonly used by Gh0st RAT malware. Upon seeing this behavior, it is recommended to review the system services events specially the remote access services. +data_source: + - Sysmon EventID 13 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry + WHERE Registry.registry_path = "*\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip*" + by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product + | `drop_dm_object_name(Registry)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_remote_access_registry_entry_filter` +how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. +known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Windows RemoteAccess Registry Modification detected on $dest$. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: [] +tags: + analytic_story: + - Gh0st RAT + asset_type: Endpoint + mitre_attack_id: + - T1112 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml new file mode 100644 index 0000000000..48f0b89f91 --- /dev/null +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -0,0 +1,76 @@ +name: Windows Rundll32 with Non-Standard File Extension +id: f52b55ce-41ad-4802-9909-fbd7cc8410a5 +version: 1 +date: '2026-03-18' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This analytic identifies the instance of rundll32.exe process loading a non-standard Windows modules file extension. This behavior is not common and can be associated with malicious activities, such as the Gh0st RAT backdoor. This technique is to evade possible detection by security tools that monitors a suspicious dll loading activity. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where `process_rundll32` AND + NOT (Processes.process IN ( + "*.dll*", + "*.cpl*", + "*.inf*", + "*.ocx*", + "*.drv*", + "*.mui*", + "*ssnetmon.d64*" + "*-localserver*", + "* SfxCA_*", + "*tsworkspace,WorkspaceStatusNotify2*", + "*tsworkspace,TaskUpdateWorkspaces2*" + "*streamci,StreamingDeviceSetup*" + "*Shell32,OpenAs_RunDLL*" + "*url,OpenURL https://claude.ai/*" + ) + ) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_rundll32_with_non_standard_file_extension_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: No false positives have been identified at this time. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a rundll32 process [$process_name$] loading a non-standard file extension [$process$] in host [$dest$] + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - Gh0st RAT + asset_type: Endpoint + mitre_attack_id: + - T1218.011 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 32cb9cf58f..900b25ab59 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Name id: 35eb6d19-a497-400c-93c5-645562804b11 -version: 6 -date: '2026-03-10' +version: 7 +date: '2026-03-26' author: Steven Dick status: production type: Anomaly @@ -60,6 +60,7 @@ tags: - Qakbot - Snake Malware - Tuoni + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1569.002 diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 11c5b32df7..023a631983 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: 17 -date: '2026-03-10' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP @@ -47,6 +47,7 @@ tags: - Crypto Stealer - Brute Ratel C4 - APT37 Rustonotto and FadeStealer + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1569.002 diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index c0603d5527..524a44871e 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 17 -date: '2026-03-10' +version: 18 +date: '2026-03-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -44,6 +44,7 @@ tags: - Suspicious Windows Registry Activities - Crypto Stealer - Brute Ratel C4 + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1574.011 diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml index 926efc77f1..d2e06921e1 100644 --- a/detections/endpoint/windows_service_stop_attempt.yml +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -1,7 +1,7 @@ name: Windows Service Stop Attempt id: dd0f07ea-f08f-4d88-96e5-cb58156e82b6 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-03-26' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -47,6 +47,7 @@ tags: - Prestige Ransomware - Graceful Wipe Out Attack - Scattered Lapsus$ Hunters + - Gh0st RAT asset_type: Endpoint mitre_attack_id: - T1489 diff --git a/stories/gh0st_rat.yml b/stories/gh0st_rat.yml new file mode 100644 index 0000000000..7b323d85c6 --- /dev/null +++ b/stories/gh0st_rat.yml @@ -0,0 +1,45 @@ +name: Gh0st RAT +id: 5810ebaa-e4a6-4650-9f62-ac96f94bcdee +version: 1 +date: '2026-03-24' +author: Teoderick Contreras, Splunk +status: production +description: | + Gh0st RAT is a long‑running Windows remote access trojan family known for full + interactive control, surveillance, and data theft. Variants implement a custom + binary wire protocol over TCP (often high ports), peer‑to‑peer relaying, and + modular features such as keylogging, screen and camera capture, audio recording, + file management, and remote shell. Operators frequently achieve persistence via + Run keys, services, or scheduled tasks, and may load capability through + side‑loaded DLLs or abused LOLBins. Because Gh0st tooling is widely shared and + re‑branded, detections should emphasize behavioral chains—ingress staging, + non‑standard process ancestry, unusual outbound sessions, and registry or service + changes associated with remote access—rather than brittle file hashes alone. +narrative: | + Gh0st samples typically establish a foothold through spear‑phishing, drive‑by + downloads, or supply‑chain delivery, then unpack a loader or injector that + decrypts the core implant in memory. The implant beacons to attacker‑controlled + infrastructure using its proprietary framing; some builds add encryption, + compression, or domain generation to resist network inspection. On the endpoint, + the malware often registers autostart mechanisms under standard persistence + locations, may masquerade as legitimate software or use stolen certificates, + and sometimes stages payloads under user‑writable or public directories before + execution. Operational use spans credential harvesting, lateral movement as a + foothold for follow‑on tools, and long‑term espionage. Effective coverage + combines host telemetry (process creation, module loads, WMI or service + creation, and authentication events for remote access features) with firewall + and proxy logs highlighting repeated connections to uncommon ports, symmetric + upload/download ratios on non‑web protocols, and TLS anomalies where HTTPS + wrappers are used. Correlating registry edits that enable remote access or + weaken authentication with subsequent interactive sessions helps distinguish + Gh0st‑style remote control from benign administrative activity. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 02b472255d3f0ad182ba8e1b6944bf1262316e0a Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 26 Mar 2026 12:57:06 +0100 Subject: [PATCH 02/11] gh0st --- detections/endpoint/ping_sleep_batch_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 9c7d414996..288ffcbcd2 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,6 +1,6 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 16 +version: 14 date: '2026-03-26' author: Teoderick Contreras, Splunk status: production From 417191f4210ebebd7698cccb8ffb475efd569df6 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 10:04:46 +0200 Subject: [PATCH 03/11] gh0st --- ...te_access_service_registry_key_change.yml} | 15 +++-- ...dll32_with_non_standard_file_extension.yml | 60 +++++++++++++++---- stories/gh0st_rat.yml | 4 ++ 3 files changed, 61 insertions(+), 18 deletions(-) rename detections/endpoint/{windows_remote_access_registry_entry.yml => windows_routing_and_remote_access_service_registry_key_change.yml} (76%) diff --git a/detections/endpoint/windows_remote_access_registry_entry.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml similarity index 76% rename from detections/endpoint/windows_remote_access_registry_entry.yml rename to detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml index 730a2a931f..c97a8845d2 100644 --- a/detections/endpoint/windows_remote_access_registry_entry.yml +++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml @@ -1,11 +1,11 @@ -name: Windows Remote Access Registry Entry +name: Windows Routing and Remote Access Service Registry Key Change id: a93df51e-e612-40b7-a105-33e288160575 version: 1 date: '2026-03-24' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This analytic identifies the modification of the Windows RemoteAccess Registry Entry. This technique can be used by malware author, adversaries, threat actors and red teamers to gain persistence on the system. This technique was commonly used by Gh0st RAT malware. Upon seeing this behavior, it is recommended to review the system services events specially the remote access services. +description: This analytic identifies the modification of the Windows RemoteAccess Registry Entry. This technique can be used by malware authors, adversaries, threat actors and red teamers to gain persistence on the system. This technique was commonly used by Gh0st RAT malware. Upon seeing this behavior, it is recommended to review the system services events specially the remote access services. data_source: - Sysmon EventID 13 search: |- @@ -15,11 +15,14 @@ search: |- | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_remote_access_registry_entry_filter` + | `windows_routing_and_remote_access_service_registry_key_change_filter` how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 + - https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf + - https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -30,12 +33,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Windows RemoteAccess Registry Modification detected on $dest$. + message: Routing and Remote Access Service registry change detected at [$registry_path$] on [$dest$]. risk_objects: - field: dest type: system score: 20 - threat_objects: [] + threat_objects: + - field: registry_path + type: registry_path tags: analytic_story: - Gh0st RAT diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml index 48f0b89f91..386d3454c4 100644 --- a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 with Non-Standard File Extension id: f52b55ce-41ad-4802-9909-fbd7cc8410a5 version: 1 -date: '2026-03-18' +date: '2026-03-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -13,25 +13,59 @@ data_source: search: |- | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND - NOT (Processes.process IN ( + ( + Processes.parent_process_path IN ( + "*\\windows\\fonts\\*", + "*\\users\\public\\*", + "*\\windows\\debug\\*", + "*\\Users\\Administrator\\Music\\*", + "*Recycle.bin*", + "*\\Windows\\Media\\*", + "\\Windows\\repair\\*", + "*\\PerfLogs\\*", + "*:\\Windows\\Prefetch\\*", + "*:\\Windows\\Cursors\\*", + "*:\\Windows\\INF\\*", + "*\\temp\\*", + "*\\programdata\\*" + "*\\windows\\tasks\\*" + ) + + OR + + Processes.parent_process_name IN ( + "*cmd.exe*", + "*cscript.exe*", + "*mshta.exe*", + "*powershell.exe*", + "*pwsh.exe*", + "*regsvr32.exe*", + "*wscript.exe*" + ) + ) + AND NOT (Processes.process IN ( "*.dll*", "*.cpl*", "*.inf*", "*.ocx*", "*.drv*", "*.mui*", - "*ssnetmon.d64*" - "*-localserver*", - "* SfxCA_*", - "*tsworkspace,WorkspaceStatusNotify2*", - "*tsworkspace,TaskUpdateWorkspaces2*" - "*streamci,StreamingDeviceSetup*" - "*Shell32,OpenAs_RunDLL*" - "*url,OpenURL https://claude.ai/*" - ) ) - by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + ) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user Processes.user_id Processes.vendor_product Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` + | rex field=process "^(?[^\s]+)\s+\"?(?[^,^\"^\s]+).*?,(?.*)$" + | rex field=cmd_base_first_param "^(?[^\\\\]+)\\\\(?[^\\\\]+)" + | eval folder_count = mvcount(split(cmd_base_first_param, "\\")) + | where (folder_count = 3 AND NOT lower(subdirs) IN ( + "windows", + "program files", + "program files (x86)" )) + + OR + + like(cmd_base_first_param, "%:\\ProgramData\\%") OR like(cmd_base_first_param, "%:\\Users\\Public\\%") OR like(cmd_base_first_param, "%\\AppData\\Local\\Temp\\%") OR like(cmd_base_first_param, "%\\AppData\\Roaming\\%") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_with_non_standard_file_extension_filter` @@ -71,6 +105,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/stories/gh0st_rat.yml b/stories/gh0st_rat.yml index 7b323d85c6..8bcfc586fd 100644 --- a/stories/gh0st_rat.yml +++ b/stories/gh0st_rat.yml @@ -35,6 +35,10 @@ narrative: | Gh0st‑style remote control from benign administrative activity. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 +- https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf +- https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ +- https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ tags: category: - Adversary Tactics From 75fc5ca7b8b4c7feef47e96dcef41d0ed8abde67 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 10:14:22 +0200 Subject: [PATCH 04/11] gh0st --- .../windows_rundll32_with_non_standard_file_extension.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml index 386d3454c4..7eea7c45aa 100644 --- a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -91,6 +91,8 @@ rba: threat_objects: - field: parent_process_name type: parent_process_name + - field: process + type: process tags: analytic_story: - Gh0st RAT From cd2b7e13a9119761b12e81497f946e26be53d293 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 10:18:03 +0200 Subject: [PATCH 05/11] gh0st --- .../endpoint/windows_security_support_provider_reg_query.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 7471a8c400..2c1229aff4 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*" Processes.process IN ("*RunAsPPL*" , "*LsaCfgFlags*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: No false positives have been identified at this time. +known_false_positives: Certain legitimate Windows components, third-party applications, or administrative scripts may use rundll32.exe with non-standard or extensionless inputs during normal operation. Filtering and contextual analysis are required, focus on command-line arguments, parent process, file location, and prevalence across the environment before determining malicious intent. references: - https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS From ec6d9ec82d5522c0ee2699b5ee86c72b96114b8b Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 10:24:46 +0200 Subject: [PATCH 06/11] gh0st --- .../endpoint/windows_security_support_provider_reg_query.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 2c1229aff4..d9ab09e7bc 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,6 +1,6 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 9 +version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production From 31ebd6b3d2266482899bcbd00de99b4800a7f78b Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 11:05:04 +0200 Subject: [PATCH 07/11] gh0st --- ...ws_routing_and_remote_access_service_registry_key_change.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml index c97a8845d2..2506c922d2 100644 --- a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml +++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 13 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path = "*\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip*" + WHERE Registry.registry_path = "*\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip*" AND Registry.action=modified by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` From 551be70a1f789f94d53fc4248c9750b4ffc9ade6 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 11:05:35 +0200 Subject: [PATCH 08/11] gh0st --- ...ws_routing_and_remote_access_service_registry_key_change.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml index 2506c922d2..a525ee1da1 100644 --- a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml +++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 13 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry - WHERE Registry.registry_path = "*\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess\\RouterManagers\\Ip*" AND Registry.action=modified + WHERE Registry.registry_path = "*\\Services\\RemoteAccess\\RouterManagers\\Ip*" AND Registry.action=modified by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` From 8f8045d5884a387935d0fc203f42351571b6ecd7 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 11:19:08 +0200 Subject: [PATCH 09/11] gh0st --- .../windows_rundll32_with_non_standard_file_extension.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml index 7eea7c45aa..4a8c498a89 100644 --- a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -73,6 +73,9 @@ how_to_implement: The detection is based on data that originates from Endpoint D known_false_positives: No false positives have been identified at this time. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 + - https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf + - https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' From ba98cd7935c6b94315d18a454040e2c1ff2212f8 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 11:23:41 +0200 Subject: [PATCH 10/11] gh0st --- .../windows_rundll32_with_non_standard_file_extension.yml | 2 +- .../endpoint/windows_security_support_provider_reg_query.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml index 4a8c498a89..9054c29639 100644 --- a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml +++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml @@ -70,7 +70,7 @@ search: |- | `security_content_ctime(lastTime)` | `windows_rundll32_with_non_standard_file_extension_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: No false positives have been identified at this time. +known_false_positives: Certain legitimate Windows components, third-party applications, or administrative scripts may use rundll32.exe with non-standard or extensionless inputs during normal operation. Filtering and contextual analysis are required, focus on command-line arguments, parent process, file location, and prevalence across the environment before determining malicious intent. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41 diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index d9ab09e7bc..4f5f7cb668 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*" Processes.process IN ("*RunAsPPL*" , "*LsaCfgFlags*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_security_support_provider_reg_query_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Certain legitimate Windows components, third-party applications, or administrative scripts may use rundll32.exe with non-standard or extensionless inputs during normal operation. Filtering and contextual analysis are required, focus on command-line arguments, parent process, file location, and prevalence across the environment before determining malicious intent. +known_false_positives: No false positives have been identified at this time. references: - https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS From 66f1f405ff0ce900f7e4156626705e19add641ec Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 30 Mar 2026 11:26:03 +0200 Subject: [PATCH 11/11] gh0st --- ...ws_routing_and_remote_access_service_registry_key_change.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml index a525ee1da1..b6246274a1 100644 --- a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml +++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml @@ -17,7 +17,7 @@ search: |- | `security_content_ctime(lastTime)` | `windows_routing_and_remote_access_service_registry_key_change_filter` how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged. +known_false_positives: Be aware of potential false positives - legitimate applications like services.exe, svchost.exe and mmc.exe may cause benign activities to be flagged. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/22ad9f0e-4349-43e0-92b3-37f7a9c7ca41