false positives may be present as the file pattern does match legitimate files on disk. it is possible other native tools write the same file name scheme.

t1027
endpoint
splunk

Techniques

T1027

Sample rules

Windows Snake Malware File Modification Crmlog

source: splunk
technicques:
- T1027

Description

The following analytic identfies a .crmlog written to windows\registration. Per the report, typically, this file has been found within the %windows%\Registration directory with the format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog and is decrypted by Snake’s kernel driver.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND  Filesystem.file_name="*.crmlog"  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.file_path Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_snake_malware_file_modification_crmlog_filter`