Detection: Windows NirSoft Utilities

Updated Date: 2024-10-17 ID: 5b2f4596-7d4c-11ec-88a7-acde48001122 Author: Michael Haag, Splunk Type: Hunting Product: Splunk Enterprise Security

Description

The following analytic identifies the execution of commonly used NirSoft utilities on Windows systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution details such as process name, parent process, and command-line arguments. This activity is significant for a SOC because NirSoft utilities, while legitimate, can be used by adversaries for malicious purposes like credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further system compromise.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id 
3| `drop_dm_object_name("Processes")` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `is_nirsoft_software_macro` 
7| `windows_nirsoft_utilities_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
is_nirsoft_software_macro	`lookup update=true is_nirsoft_software filename as process_name OUTPUT nirsoftFile
windows_nirsoft_utilities_filter	`search *`

windows_nirsoft_utilities_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1588.002	Tool	Resource Development

KillChainPhase.WEAPONIZATION

NistCategory.DE_AE

Cis18Value.CIS_10

APT-C-36

APT1

APT19

APT28

APT29

APT32

APT33

APT38

APT39

APT41

Aoqin Dragon

Aquatic Panda

BITTER

BRONZE BUTLER

BackdoorDiplomacy

BlackTech

Blue Mockingbird

Carbanak

Chimera

Cinnamon Tempest

Cleaver

Cobalt Group

CopyKittens

DarkHydrus

DarkVishnya

Dragonfly

Earth Lusca

FIN10

FIN13

FIN5

FIN6

FIN7

FIN8

Ferocious Kitten

GALLIUM

Gamaredon Group

Gorgon Group

HEXANE

INC Ransom

Inception

IndigoZebra

Ke3chang

Kimsuky

LAPSUS$

Lazarus Group

Leafminer

LuminousMoth

Magic Hound

Metador

Moses Staff

MuddyWater

POLONIUM

Patchwork

PittyTiger

Play

Sandworm Team

Silence

Silent Librarian

Star Blizzard

TA2541

TA505

Threat Group-3390

Thrip

Turla

Volt Typhoon

WIRTE

Whitefly

Wizard Spider

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

False positives may be present. Filtering may be required before setting to alert.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to NiRSoft software usage.	80	80	100

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 4