Detection rules › Splunk
Windows Snake Malware Kernel Driver Comadmin
The following analytic detects the creation of the comadmin.dat file in the %windows%\system32\Com directory, which is associated with Snake Malware. This detection leverages the Endpoint.Filesystem data model to identify file creation events matching the specified path and filename. This activity is significant because the comadmin.dat file is part of Snake Malware's installation process, which includes dropping a kernel driver and a custom DLL. If confirmed malicious, this activity could allow an attacker to load a malicious driver, potentially leading to privilege escalation and persistent access to the compromised system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions |
| Privilege Escalation | T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Filesystem.file_name="comadmin.dat" Filesystem.file_path="*\\windows\\system32\\com\\*" BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_name | eq |
|
Filesystem.file_path | eq |
|