Techniques
Sample rules
Windows Mustang Panda USB Tool Execution
- source: splunk
- technicques:
- T1574.001
- T1204.002
- T1020
Description
Detects known executables used for infection or DLL side loading by Mustang Panda being launched from a non-C:\ location. This can indicate a compromise via USB, or external storage device. You will have to adapt this detection if you do not use C:\ as the root device.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
NOT Processes.process_path="C:\\*"
Processes.process_path IN (
"*atkexComSvcRes.exe",
"*AtlTraceTool8.exe",
"*browser.ex",
"*CefSub.exe",
"*dabs.ex",
"*FacialFeatureDemo.exe",
"*GoogleUpdate*.exe",
"*GUP.exe",
"*HPCustParticUI.exe",
"*install_.exe",
"*mcsync.ex",
"*melt_64.exe",
"*mscorsvw.exe",
"*OleView.exe",
"*piz.exe",
"*PlugInInstallerUtility2.exe",
"*rar330.exe",
"*Samvd.exe",
"*scx.exe",
"*spoololk.exe",
"*Symantec.exe",
"*SymantecHp.exe",
"*Symantecs.exe",
"*Symantecsy.exe",
"*upservice.exe",
"*vivaldi.exe",
"*wsc_proxy.exe",
"*ygfdt.exe"
)
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_mustang_panda_usb_tool_execution_filter`