IcedID Exfiltrated Archived File Creation
Description
This search is to detect a suspicious file creation namely passff.tar and cookie.tar. This files are possible archived of stolen browser information like history and cookies in a compromised machine with IcedID.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-07-30
- Author: Teoderick Contreras, Splunk
- ID: 0db4da70-f14b-11eb-8043-acde48001122
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar")
|stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `icedid_exfiltrated_archived_file_creation_filter`
Macros
The SPL above uses the following Macros:
icedid_exfiltrated_archived_file_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- TargetFilename
- EventCode
- process_id
- process_name
- Computer
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 72.0 | 80 | 90 | process $SourceImage$ create a file $TargetImage$ in host $Computer$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1