LoFP / false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.

Techniques

• T1027

Sample rules

Windows Snake Malware File Modification Crmlog

• source: splunk
• technicques:
  • T1027

Description

The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND  Filesystem.file_name="*.crmlog"  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.file_path Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_snake_malware_file_modification_crmlog_filter`