Analytics Story: Derusbi

Updated Date: 2026-05-13 ID: 7cd48610-6f75-4b49-ae1d-3bf2cfff1c1c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to Derusbi malware, a sophisticated threat often linked to advanced persistent attacks. Monitor anomalies in network traffic, file execution patterns, and unauthorized access attempts to uncover potential compromises. Utilize behavioral analytics and endpoint detection tools to identify indicators such as pesistence, service creation, lateral movement via removable drive, driver loading and dll side loading. By correlating these findings with known threat intelligence, you can quickly respond to and mitigate Derusbi-related incidents.

Why it matters

Derusbi is a stealthy and versatile malware family often associated with advanced persistent threats (APTs) targeting high-value systems. Known for its adaptability, it employs techniques like process injection and encrypted communications to evade detection. This malware family is frequently used for espionage, data theft, and system compromise, leveraging custom modules tailored to specific targets. Derusbi’s ability to remain undetected for extended periods makes it a significant threat, emphasizing the need for robust monitoring and advanced detection mechanisms to mitigate its impact.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Unsigned MS DLL Side-Loading	Boot or Logon Autostart Execution, DLL	Anomaly
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token	Anomaly
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	Anomaly
Windows Unsigned DLL Side-Loading	DLL	Anomaly
Suspicious Regsvr32 Register Suspicious Path	Regsvr32	TTP
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Windows Replication Through Removable Media	Replication Through Removable Media	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path	DLL	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4703	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2