Techniques
Sample rules
Windows Snake Malware File Modification Crmlog
- source: splunk
- technicques:
- T1027
Description
The following analytic identfies a .crmlog written to windows\registration. Per the report, typically, this file has been found within the %windows%\Registration directory with the format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog and is decrypted by Snake’s kernel driver.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND Filesystem.file_name="*.crmlog" by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_snake_malware_file_modification_crmlog_filter`