Detection: Windows File Without Extension In Critical Folder

Updated Date: 2024-11-13 ID: 0dbcac64-963c-11ec-bf04-acde48001122 Author: Teoderick Contreras, Bhavin Patel, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the creation of files without extensions in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability.

Search

1
2| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product 
3| `drop_dm_object_name(Filesystem)` 
4| rex field="file_name" "\.(?<extension>[^\.]*$)" 
5| where isnull(extension) 
6| `security_content_ctime(firstTime)` 
7| `security_content_ctime(lastTime)` 
8| `windows_file_without_extension_in_critical_folder_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 11	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_file_without_extension_in_critical_folder_filter	`search *`

windows_file_without_extension_in_critical_folder_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1485	Data Destruction	Impact

Actions on Objectives

DE.CM

CIS 10

LAPSUS$

Lazarus Group

Sandworm Team

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the Endpoint datamodel in the Filesystem node.

Known False Positives

Unknown at this point

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Driver file with out file extension drop in $file_path$ on $dest$

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	90	No Threat Objects

References

https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 5