coral raider queries

Cisco-Talos · Apr 23, 2024 · 99ec8d4 · 99ec8d4
1 parent 3e6e591
commit 99ec8d4
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -1252,6 +1252,33 @@
                 "windows"
             ]
         },
+        "malware_mshta_remote_payload_execution": {
+            "query": "SELECT pid, name, cmdline FROM processes WHERE name='mshta.exe' AND cmdline LIKE '%https://%' AND regex_match(cmdline, 'http(s)?://[A-Za-z0-9-]+(:|/)', 0) IS NULL AND regex_match(cmdline, 'http(s)?://[A-Za-z0-9-\\.]+\\.(test|example|invalid|localhost|local|eranet)', 0) IS NULL AND regex_match(cmdline, 'OED\\sEntry\\sEditor', 0) IS NULL;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Mshta is a Windows binary that allows to execute malicious code in different ways, such as code hosted on external URLs, or locally hosted scripts. Mshta is a native windows binary that can execute VBScript, JScript,  and Microsoft HTML Application (HTA) files. It is capable of executing code  from remote URLs and from local files on disk. Mshta has been known to be used by a variety of threat actors like CoralRaider and malware families such as ModernLoader to execute malicious payloads.",
+            "platform": [
+                 "windows"
+             ]
+        },
+        "malware_windows_defender_exclusion_added": {
+            "query": "SELECT key as reg_key, path as reg_path, name, data, mtime as most_recent_write FROM registry WHERE (key LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths' OR key LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes') AND data = '0';",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "An exclusion was added to Windows Defender via the registry. Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
+            "platform": [
+                "windows"
+            ]
+        },
+        "malware_rhadamanthys_registry_key_created": {
+            "query": "SELECT key as reg_key, path as reg_path, name, data, mtime as most_recent_write FROM registry WHERE key LIKE 'HKEY_USERS\\%\\SOFTWARE\\SibCode' AND LOWER(name) = 'sn';",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "A Registry Key associated with Rhadamanhys Malware has been created on the system. This registry key determines if it is already executing, preventing it from reinfecting an already infected system. Rhadamanhys is a modular multifunctional information stealer that collects and exfiltrates data from various web browsers and other applications on a target system.",
+            "platform": [
+                "windows"
+            ]
+        },
         "malware_netwire_downloader_filepath": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h ON f.path=h.path WHERE f.directory LIKE 'C:\\Users\\%\\AppData\\Local' AND f.filename IN ('Adobe Sign.exe', 'Adobe Reader.exe', 'Adobe Acrobat.exe');",
             "interval": 86400,

diff --git a/win_malware/malware_mshta_remote_payload_execution.yaml b/win_malware/malware_mshta_remote_payload_execution.yaml
@@ -0,0 +1,31 @@
+MSHTA Remote Payload Execution:
+  query: SELECT pid, name, cmdline FROM processes WHERE name='mshta.exe' AND cmdline LIKE '%https://%' AND
+    regex_match(cmdline, 'http(s)?:\/\/[A-Za-z0-9-]+(:|\/)', 0) IS NULL AND regex_match(cmdline, 
+    'http(s)?:\/\/[A-Za-z0-9-\.]+\.(test|example|invalid|localhost|local|eranet)', 0) IS NULL AND 
+    regex_match(cmdline, 'OED\sEntry\sEditor', 0) IS NULL
+  interval: 86400
+  snapshot: true
+  description: Mshta is a Windows binary that allows to execute malicious code in
+    different ways, such as code hosted on external URLs, or locally hosted
+    scripts. Mshta is a native windows binary that can execute VBScript,
+    JScript,  and Microsoft HTML Application (HTA) files. It is capable of
+    executing code  from remote URLs and from local files on disk. Mshta has
+    been known to be used by a variety of threat actors like CoralRaider and malware families such
+    as ModernLoader to execute malicious payloads.
+  references:
+  - 150dd450f343c7b1e3b2715eae3ed470c1c1fadf91f2048516315f1500a58ffa
+  - 74ea6e91c00baad0b77575740eb7f0fb5ad1d05ddea8227dc1aa477e179e62df
+  - 3ae459746637e6f5536f3ba4158c822031578335505a512df3c31728cac8f627
+  - 88528be553f2a6f72e2ae0243ea907d5dcdcd7c8777831b4c3ab2a67128bc9b9
+  - fd53383d85b39e68d817e39030aa2184764ab4de2d478b7e33afc39dd9661e96
+  - e68c9aedfd080fe8e54b005482fcedb16f97caa6f7dcfb932c83b29597c6d957
+  - 8c732ec41550851cc933e635708820ec9202fddc69232ca4ed625d420aec3d86
+  - 1942c417f2b71068fb4c1abb31bc77426bbe3513334cdaceaff3603955830e21
+  - 5ad73cf7e08b8c7bab0d96ba92607b8c9b22b61354052cf59df93b782b6e039b
+  - a1f16ab97b9516e85c202ff00bd77b0b5e0e4ed29bfad28797fbbd0f25a8e0ae
+  mitre_tactics:
+  - Defense Evasion: TA0005
+  mitre_techniques:
+  - Mshta: T1218.005
+  platform:
+  - windows
diff --git a/win_malware/malware_rhadamanthys_registry_key_created.yaml b/win_malware/malware_rhadamanthys_registry_key_created.yaml
@@ -0,0 +1,21 @@
+Rhadamanthys Registry Key Created:
+  query: SELECT key as reg_key, path as reg_path, name, data, mtime as most_recent_write FROM registry
+    WHERE key LIKE 'HKEY_USERS\%\SOFTWARE\SibCode' AND LOWER(name) = 'sn'
+  interval: 86400
+  snapshot: true
+  description: A Registry Key associated with Rhadamanhys Malware has been created on
+    the system. This registry key determines if it is already executing,
+    preventing it from reinfecting an already infected system. Rhadamanhys is a
+    modular multifunctional information stealer that collects and exfiltrates
+    data from various web browsers and other applications on a target system.
+  references:
+  - b796cc4a54ee27601c1ed3a0016caa6f58206f4f280391f67820b8b019602add
+  - 5cb65b469023dcc77ede21c66a753fa9cbe67597aae142958fce4936ce3974aa
+  mitre_tactics:
+  - Defense Evasion: TA0005
+  - Exfiltration: TA010
+  mitre_techniques:
+  - Exfiltration Over C2 Channel: T1041
+  - Modify Registry: T1112
+  platform:
+  - windows
diff --git a/win_malware/malware_windows_defender_exclusion_added.yaml b/win_malware/malware_windows_defender_exclusion_added.yaml
@@ -0,0 +1,18 @@
+Windows Defender Exclusion Added:
+  query: SELECT key as reg_key, path as reg_path, name, data, mtime as most_recent_write FROM registry
+    WHERE (key LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' OR
+    key LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes') AND data = '0'
+  interval: 86400
+  snapshot: true
+  description: An exclusion was added to Windows Defender via the registry. Adversaries
+    may modify and/or disable security tools to avoid possible detection of
+    their malware/tools and activities.
+  references:
+  - 3ea37eca22d485f0c07846e9ef4bbf9b76719dc47ad584517275d364452bf86d
+  - 3594efd0e23a63a2e4d036b13a93d68ad8b4bc914cfd6098cabccc9f9745411f
+  mitre_tactics:
+  - Defense Evasion: TA0005
+  mitre_techniques:
+  - Disable or Modify Tools: T1562.001
+  platform:
+  - windows