Techniques
Sample rules
Windows Snake Malware Service Create
- source: splunk
- technicques:
- T1547.006
- T1569.002
Description
The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.
Detection logic
`wineventlog_system` EventCode=7045 ImagePath="*\\windows\\winSxS\\*" ImagePath="*\Werfault.exe"
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_snake_malware_service_create_filter`