| ID | Technique | Tactic |
|---|---|---|
| T1059.005 | Visual Basic | Execution |
| T1204.002 | Malicious File | Execution |
Detection: Cisco NVM - Susp Script From Archive Triggering Network Activity
Description
This analytic detects script execution (wscript.exe or cscript.exe) triggered from compressed files opened directly using
explorer.exe, winrar.exe, or 7zFM.exe.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Search
1`cisco_network_visibility_module_flowdata`
2parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
3process_name IN ("wscript.exe", "cscript.exe")
4process_arguments = "*\\AppData\\Local\\Temp\\*"
5process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
6
7| stats count min(_time) as firstTime max(_time) as lastTime
8 values(parent_process_arguments) as parent_process_arguments
9 values(process_arguments) as process_arguments
10 values(parent_process_hash) as parent_process_hash
11 values(process_hash) as process_hash
12 values(module_name_list) as module_name_list
13 values(module_hash_list) as module_hash_list
14 values(dest_port) as dest_port
15 values(aliul) as additional_logged_in_users_list
16 values(dest_hostname) as dest_hostname
17 by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
18
19| `security_content_ctime(firstTime)`
20
21| `security_content_ctime(lastTime)`
22
23| table
24 parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
25 process_integrity_level process_path process_name process_arguments process_hash process_id
26 additional_logged_in_users_list module_name_list module_hash_list
27 src dest_hostname dest dest_port transport firstTime lastTime
28
29| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___susp_script_from_archive_triggering_network_activity_filter | search * |
cisco_nvm___susp_script_from_archive_triggering_network_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT38
APT39
APT42
Ajax Security Team
Andariel
Aoqin Dragon
BITTER
BRONZE BUTLER
BlackTech
CURIUM
Cobalt Group
Confucius
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly
EXOTIC LILY
Earth Lusca
Elderwood
FIN13
FIN4
FIN6
FIN7
FIN8
Ferocious Kitten
Gallmaker
Gamaredon Group
Gorgon Group
HEXANE
Higaisa
Inception
IndigoZebra
Indrik Spider
Kimsuky
Lazarus Group
LazyScripter
Leviathan
Machete
Magic Hound
Malteiro
Mofang
Molerats
Moonstone Sleet
MuddyWater
Mustang Panda
Naikon
Nomadic Octopus
OilRig
PLATINUM
PROMETHIUM
Patchwork
RTM
Rancor
RedCurl
Saint Bear
Sandworm Team
SideCopy
Sidewinder
Silence
Star Blizzard
Storm-1811
TA2541
TA459
TA505
TA551
The White Company
Threat Group-3390
Tonto Team
Transparent Tribe
Tropic Trooper
Turla
WIRTE
Whitefly
Windshift
Wizard Spider
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
Some software installers or automation scripts may extract and run scripts from archive files in temporary directories. However, it is uncommon for such scripts to initiate outbound network connections immediately upon extraction. This behavior should be considered suspicious and investigated, especially in environments where such scripting is not typical.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
$process_path$ running from $parent_process_name$ with archive-related execution in Temp was observed from host $src$ performing network a connection towards $dest$ / $dest_hostname$ over port $dest_port$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1