Name:Windows File Without Extension In Critical Folder id:0dbcac64-963c-11ec-bf04-acde48001122 version:5 date:2024-11-13 author:Teoderick Contreras, Bhavin Patel, Splunk status:production type:TTP Description:The following analytic detects the creation of files without extensions in critical folders like "System32\Drivers." It leverages data from the Endpoint.Filesystem datamodel, focusing on file paths and creation times. This activity is significant as it may indicate the presence of destructive malware, such as HermeticWiper, which drops driver components in these directories. If confirmed malicious, this behavior could lead to severe system compromise, including boot sector wiping, resulting in potential data loss and system inoperability. Data_source:
-Sysmon EventID 11
search:| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?<extension>[^\.]*$)" | where isnull(extension) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_without_extension_in_critical_folder_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node. known_false_positives:Unknown at this point References: -https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Destruction' - 'Hermetic Wiper' asset_type:Endpoint mitre_attack_id: - 'T1485' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
