Name:Windows File Without Extension In Critical Folder id:0dbcac64-963c-11ec-bf04-acde48001122 version:3 date:2024-09-30 author:Teoderick Contreras, Bhavin Patel, Splunk status:production type:TTP Description:The following analytic detects the creation of files without extensions in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability. Data_source:
-Sysmon EventID 1 AND Sysmon EventID 11
search:| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?<extension>[^\.]*$)" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives:Unknown at this point References: -https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Destruction' - 'Hermetic Wiper' asset_type:Endpoint confidence:100 impact:90 message:Driver file with out file extension drop in $file_path$ in $dest$ mitre_attack_id: - 'T1485' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Filesystem.file_create_time' - 'Filesystem.process_id' - 'Filesystem.file_name' - 'Filesystem.user' - 'Filesystem.file_path' - 'Filesystem.dest' - 'Processes.process_name' - 'Processes.dest' - 'Processes.process_guid' - 'Processes.user' risk_score:90 security_domain:endpoint
