Analytics Story: Derusbi

Date: 2025-01-27 ID: 7cd48610-6f75-4b49-ae1d-3bf2cfff1c1c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Derusbi malware, a sophisticated threat often linked to advanced persistent attacks. Monitor anomalies in network traffic, file execution patterns, and unauthorized access attempts to uncover potential compromises. Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading. By correlating these findings with known threat intelligence, you can quickly respond to and mitigate Derusbi-related incidents.

Why it matters

Derusbi is a stealthy and versatile malware family often associated with advanced persistent threats (APTs) targeting high-value systems. Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection. This malware family is frequently used for espionage, data theft, and system compromise, leveraging custom modules tailored to specific targets. Derusbi’s ability to remain undetected for extended periods makes it a significant threat, emphasizing the need for robust monitoring and advanced detection mechanisms to mitigate its impact.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Unsigned DLL Side-Loading DLL Side-Loading Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL Side-Loading, Hijack Execution Flow TTP
Windows Unsigned MS DLL Side-Loading DLL Side-Loading, Boot or Logon Autostart Execution Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1