detection.wiki

Detection rules › Splunk

Windows Replication Through Removable Media

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects the creation or dropping of executable or script files in the root directory of a removable drive. It leverages data from the Endpoint.Filesystem datamodel, focusing on specific file types and their creation paths. This activity is significant as it may indicate an attempt to spread malware, such as ransomware, via removable media. If confirmed malicious, this behavior could lead to unauthorized code execution, lateral movement, or persistence within the network, potentially compromising sensitive data and systems.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1091 Replication Through Removable Media
Lateral MovementT1091 Replication Through Removable Media

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: tstats

tstats WHERE Filesystem.file_name IN ("*.bat", "*.cmd", "*.com", "*.dll", "*.exe", "*.js", "*.lnk", "*.pif", "*.sys", "*.url", "*.vbe", "*.vbs") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product

Stage 2: search

search

Stage 3: eval

eval ... using (file_path)

Stage 4: eval

eval ... using (dropped_file_path)

Stage 5: eval

eval ... using (dropped_file_path)

Stage 6: where

where dropped_file_path_split_count=2 root_drive like "%:" root_drive!="C:"

Stage 7: search

search

Stage 8: search

search

Stage 9: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.file_namein
  • "*.bat" corpus 4 (splunk 4)
  • "*.cmd" corpus 4 (splunk 4)
  • "*.com" corpus 4 (splunk 4)
  • "*.dll" corpus 6 (splunk 6)
  • "*.exe" corpus 7 (splunk 7)
  • "*.js" corpus 5 (splunk 5)
  • "*.lnk" corpus 2 (splunk 2)
  • "*.pif" corpus 5 (splunk 5)
  • "*.sys" corpus 4 (splunk 4)
  • "*.url"
  • "*.vbe" corpus 5 (splunk 5)
  • "*.vbs" corpus 5 (splunk 5)
dropped_file_path_split_counteq
  • 2 corpus 2 (splunk 2)
root_drivelike
  • "%:"
root_drivene
  • "C:"