security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Snake Malware Atomic Tests

Browse Source
This commit is contained in:
Michael Haag
2023-05-11 12:40:31 -06:00
parent 4177d016ad
commit 1ebcb346f6
4 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1027/T1027.yaml
+13
View File
@@ -202,3 +202,16 @@ atomic_tests:
2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.
name: manual
- name: Snake Malware Encrypted crmlog file
description: |
The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
supported_platforms:
- windows
executor:
command: |
$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
cleanup_command: |
$fileNameToDelete = '04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'; $filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path $filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) { Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete" } else { Write-Host "File not found: $fullPathToDelete" }
name: powershell
elevation_required: true
atomics/T1112/T1112.yaml
+13
View File
@@ -858,3 +858,16 @@ atomic_tests:
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5
name: command_prompt
elevation_required: true
- name: Snake Malware Registry Blob
description: |
The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
supported_platforms:
- windows
executor:
command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
cleanup_command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
name: powershell
elevation_required: true
atomics/T1547.006/T1547.006.yaml
+15
View File
@@ -106,3 +106,18 @@ atomic_tests:
elevation_required: true
cleanup_command: |
rm -f #{exe_path}
- name: Snake Malware Kernel Driver Comadmin
description: |
The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake's installer drops the kernel driver and a custom DLL which is used to load the driver into a
single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory.
This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
supported_platforms:
- windows
executor:
command: |
$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
cleanup_command: |
$examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
name: powershell
elevation_required: true
atomics/T1569.002/T1569.002.yaml
+15 -2
View File
@@ -71,8 +71,6 @@ atomic_tests:
command: |
#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
name: command_prompt
- name: psexec.py (Impacket)
auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35
description: |
@@ -178,3 +176,18 @@ atomic_tests:
command: |
"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
name: command_prompt
- name: Snake Malware Service Create
description: |
The following Atomic Test will create a new service named WerFaultSvc with a binary path of WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe.
This was recently seen in the Snake Malware report.
Upon execution, sc.exe will create a new service named WerFaultSvc with a bin path \WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe and a display name of WerFault Service.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)
supported_platforms:
- windows
executor:
command: |
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto
cleanup_command: |
sc.exe delete "WerFaultSvc"
name: command_prompt
elevation_required: true