Name:Windows Known GraphicalProton Loaded Modules id:bf471c94-0324-4b19-a113-d02749b969bc version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects the loading of DLL modules associated with the GraphicalProton backdoor implant, commonly used by SVR in targeted attacks. It leverages Sysmon EventCode 7 to identify specific DLLs loaded by processes. This activity is significant as it may indicate the presence of a sophisticated backdoor, warranting immediate investigation. If confirmed malicious, the attacker could gain persistent access to the compromised host, potentially leading to further exploitation and data exfiltration. Data_source:
-Sysmon EventID 7
search:`sysmon` EventCode=7 ImageLoaded IN ("*\\AclNumsInvertHost.dll", "*\\ModeBitmapNumericAnimate.dll", "*\\UnregisterAncestorAppendAuto.dll", "*\\DeregisterSeekUsers.dll", "*\\ScrollbarHandleGet.dll", "*\\PerformanceCaptionApi.dll", "*\\WowIcmpRemoveReg.dll", "*\\BlendMonitorStringBuild.dll", "*\\HandleFrequencyAll.dll", "*\\HardSwapColor.dll", "*\\LengthInMemoryActivate.dll", "*\\ParametersNamesPopup.dll", "*\\ModeFolderSignMove.dll", "*\\ChildPaletteConnected.dll", "*\\AddressResourcesSpec.dll") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name dest EventCode Signed ProcessId Hashes IMPHASH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_known_graphicalproton_loaded_modules_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:unknown References: -https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CISA AA23-347A' asset_type:Endpoint confidence:60 impact:60 message:Windows Known GraphicalProton backdoor Loaded Modules on $dest$. mitre_attack_id: - 'T1574.002' - 'T1574' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:36 required_fields: - '_time' - 'Image' - 'ImageLoaded' - 'process_name' - 'dest' - 'EventCode' - 'Signed' - 'ProcessId' - 'Hashes' - 'IMPHASH' security_domain:endpoint
