splunk · nterl0k · Nov 10, 2023 · Nov 10, 2023 · Nov 10, 2023 · Nov 10, 2023
@@ -0,0 +1,75 @@
+name: Windows Alternate DataStream - Base64 Content
+id: 683f48de-982f-4a7e-9aac-9cec550da498
+version: 1
+date: '2023-10-30'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects when an uninterrupted string of base64 characters is written to the contents of an NTFS file system alternate data stream. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later use or persistence.
+data_source:
+- Sysmon Event ID 15
+search: '`sysmon` EventCode=15 NOT Contents IN ("-","[ZoneTransfer]*")
+| regex TargetFilename="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"
+| regex Contents="(?:[A-Za-z0-9+/]{128,})(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
+| eval file_name = replace(TargetFilename,"(.*\\\)",""), process = Image , file_path = TargetFilename , base64 = Contents, file_hash = case( EventCode IN ("15"), coalesce(SHA256,SHA1,MD5,Hash), EventCode IN ("23","26"), coalesce(SHA256,SHA1,MD5,Hashes))
+| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by dest, process, process_guid, file_name, file_path, file_hash, base64, Contents
+| `base64decode(base64)` 
+| fields - base64 
+| rename base64_decode as command 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `windows_alternate_datastream_base64_content_filter`'
+how_to_implement: Target environment must ingest sysmon data, specifically Event ID 15.
+known_false_positives: Unknown 
+references:
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://car.mitre.org/analytics/CAR-2020-08-001/
+- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams 
+- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
+tags:
+  analytic_story:
+  - Windows Defense Evasion Tactics
+  asset_type: Endpoint
+  confidence: 80
+  impact: 100
+  message: Base64 content written to an NTFS alternate data stream by $user$, see command field for details.
+  mitre_attack_id:
+  - T1564
+  - T1564.004
+  observable:
+  - name: dest
+    type: hostname
+    role:
+    - Victim
+  - name: user
+    type: username
+    role:
+    - Victim	
+  - name: process
+    type: other
+    role:
+    - Attacker
+  - name: file_name
+    type: other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - TargetFilename
+  - Image
+  - Contents
+  - file_hash
+  - process_guid
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+    update_timestamp: true
@@ -0,0 +1,76 @@
+name: Windows Alternate DataStream - Executable Content
+id: a258bf2a-34fd-4986-8086-78f506e00206
+version: 1
+date: '2023-10-30'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects when data is written to the contents of an NTFS file system alternate data stream that possess an IMPASH value. This indicates that the data written has a PE structure and can be executed. This behavior could indicate a threat actor staging malicious code within difficult to detect areas of the file system for later usage or persistence. - Note: import hashing/imphash must be enabled within Sysmon.
+data_source:
+- Sysmon Event ID 15
+search: '`sysmon` EventCode=15 IMPHASH!=00000000000000000000000000000000 
+| regex TargetFilename="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"
+| eval file_name = replace(TargetFilename,"(.*\\\)",""), process = Image , file_path = TargetFilename, file_hash = case( EventCode IN ("15"), coalesce(SHA256,SHA1,MD5,Hash), EventCode IN ("23","26"), coalesce(SHA256,SHA1,MD5,Hashes))
+| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by dest, process, process_guid, file_name, file_path, file_hash, IMPHASH
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `windows_alternate_datastream_executable_content_filter`'
+how_to_implement: Target environment must ingest sysmon data, specifically Event ID 15.
+known_false_positives: Unknown 
+references:
+- https://car.mitre.org/analytics/CAR-2020-08-001/
+- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams 
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+tags:
+  analytic_story:
+  - Windows Defense Evasion Tactics
+  asset_type: Endpoint
+  confidence: 80
+  impact: 100
+  message: Base64 content written to an NTFS alternate data stream by $user$, see command field for details.
+  mitre_attack_id:
+  - T1564
+  - T1564.004
+  observable:
+  - name: dest
+    type: hostname
+    role:
+    - Victim
+  - name: user
+    type: username
+    role:
+    - Victim	
+  - name: process
+    type: other
+    role:
+    - Attacker
+  - name: file_name
+    type: other
+    role:
+    - Attacker
+  - name: file_hash
+    type: other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - dest
+  - TargetFilename
+  - Image
+  - Contents
+  - file_hash
+  - process_guid
+  - IMPHASH
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+    update_timestamp: true
@@ -0,0 +1,69 @@
+name: Windows Alternate DataStream - Process Execution
+id: 30c32c5c-41fe-45db-84fe-275e4320da3f
+version: 1
+date: '2023-10-30'
+author: Steven Dick
+status: production
+type: TTP
+description: This following analytic detects when a process attempts to execute a file from within an NTFS file system alternate data stream. This behavior could indicate that a threat actor staged malicious code within a difficult to detect area of the file system and is now attempting to execute it.
+data_source:
+- Windows Security Event ID 4688
+- Sysmon Event ID 1
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime values(Processes.process_current_directory) as directory from datamodel=Endpoint.Processes where Processes.parent_process_name != "unknown" Processes.process_name IN ("appvlp.exe","bitsadmin.exe","control.exe","cscript.exe","forfiles.exe","ftp.exe","mavinject.exe","mshta.exe","powershell.exe","powershell_ise.exe","pwsh.exe","regini.exe","regscr32.exe","rundll32.exe","sc.exe","wmic.exe","wscript.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
+| `drop_dm_object_name(Processes)` 
+| regex process="(\b)\w+(\.\w+)?:\w+(\.\w{2,4})(?!\.)(\b|\s|&)"
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)`
+| `windows_alternate_datastream_process_execution_filter`'
+how_to_implement: Target environment must ingest process execution data sources such as Windows process monitoring and/or Sysmon EID 1.
+known_false_positives: False positives may be generated by process executions with a : in the commandline, regex has been provided to minimize the possibilty. 
+references:
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+- https://car.mitre.org/analytics/CAR-2020-08-001/
+- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams 
+- https://blog.netwrix.com/2022/12/16/alternate_data_stream/
+tags:
+  analytic_story:
+  - Windows Defense Evasion Tactics
+  asset_type: Endpoint
+  confidence: 80
+  impact: 100
+  message: The $process_name$ process was executed by $user$ using data from an NTFS alternate data stream.
+  mitre_attack_id:
+  - T1564
+  - T1564.004
+  observable:
+  - name: dest
+    type: hostname
+    role:
+    - Victim
+  - name: user
+    type: username
+    role:
+    - Victim	
+  - name: process_name
+    type: other
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Processes.dest      
+  - Processes.user
+  - Processes.parent_process_name
+  - Processes.process_name
+  - Processes.process
+  - Processes.process_id
+  - Processes.parent_process_id
+  risk_score: 80
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+    update_timestamp: true