JohnGalt14

Splunk Tags - Detect Regin Backdoor Logs Files

Nov 26th, 2014
1,325
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Splunk search/tags to detect Regin malware components in your log data
  2. #
  3. # We suppose that the backdoor samples published in reports by Symantec and Kaspersky are not in use anymore
  4. # and are already replaced by more sophisticated versions. We consider a successful detection with these tags
  5. # as a 'lucky shot'. Maybe you are able to prove a former infection with the help of your log files although
  6. # intelligence agencies have already removed their files and registry keys from the compromised systems.
  7. #
  8. # This search and tag definition includes IOCs for
  9. #
  10. # 1. File names
  11. #    These may be detected in: Windows Eventlog if Process Monitoring is active, error reports, AV detections
  12. # 2. MD5 hashes
  13. #    These may be detected in: Security software logs, incident response scanner logs
  14. #
  15. # Contact / False Positives / Feedback / Improvements
  16. # Twitter: @Malwrsignatures
  17.  
  18. # SEARCH ########################################################
  19. #
  20. # Copy & Paste to Search or App
  21.  
  22. usbclass.sys OR adpu160.sys OR msrdc64.dat OR msdcsvc.dat OR config\\SystemAudit.Evt OR config\\SecurityAudit.Evt OR config\\SystemLog.evt OR config\\ApplicationLog.evt OR ime\\imesc5\\dicts\\pintlgbs.imd OR ime\\imesc5\\dicts\\pintlgbp.imd OR winhttpc\.dll OR wshnetc.dll OR SysWow64\\wshnetc.dll OR svcstat\.exe OR svcsstat\.exe OR IME\\IMESC5\\DICTS\\PINTLGBP\.IMD OR wsharp\.dll OR wshnetc\.dll OR pchealth\\helpctr\\Database\\cdata.dat OR pchealth\\helpctr\\Database\\cdata.edb OR Windows\\Panther\\setup.etl.000 OR wbem\\repository\\INDEX2.DATA OR wbem\\repository\\OBJECTS2.DATA OR dnscache.dat OR mregnx.dat OR displn32.dat OR dmdskwk.dat OR nvwrsnu.dat OR tapiscfg.dat OR d240f06e98c8d3e647cbf4d442d79475 OR db405ad775ac887a337b02ea8b07fddc OR 01c2f321b6bfdb9473c079b0797567ba OR 4b6b86c7fec1c574706cecedf44abded OR b505d65721bb2453d5039a389113b566 OR ba7bb65634ce1e30c1e5415be3d1db1d OR 22bfc970f707fd775d49e875b63c2f0c OR 2c8b9d2885543d7ade3cae98225e263b OR 47d0e8f9d7a6429920329207a32ecc2e OR bfbe8c3ee78750c3a520480700e440f8 OR 744c07e886497f7b68f6f7fe57b7ab54 OR b29ca4f22ae7b7b25f79c1d4a421139d OR 1352a9210c8d9120f55f98f90fa5fc5c OR 7137720651a55fb8978138c8bf36f00f OR b269894f434657db2b15949641a67532 OR 187044596bc1328efa0ed636d8aa4a5c OR ffb0b9b5b610191051a7bdf0806e1e47 OR 26297dc3cd0b688de3b846983c5385e5 OR 1c024e599ac055312a4ab75b3950040a OR 148c1bb9d405d717252c77593aff4bd8 OR 6662c390b2bbbd291ec7987388fc75d7 OR 049436bb90f71cf38549817d9b90e2da OR 06665b96e293b23acc80451abb413e50 OR e97f6268c7b5f2f8844e2c1bfaae72c8 OR ffb0b9b5b610191051a7bdf0806e1e47 OR bfbe8c3ee78750c3a520480700e440f8 OR b29ca4f22ae7b7b25f79c1d4a421139d OR 06665b96e293b23acc80451abb413e50 OR c1febbf853b0928c702ad3d38016bb36 OR 02c5c3983983d15405875894cab47bac OR 85bd9de0382a13c09705c26a8306e22e OR 55b8dbe7bb0c37c05a30cc75742401a5 OR a8c032ba411c1f63220d7e7ce883ee8e OR 66afaa303e13faa4913eaad50f7237ea OR 0b26e313ed4a7ca6904b0e9369e5b957 OR 50f12169cbaa73ed665f665e1891f59d OR 7ee9d65c02483fd8e12a915dd20430a9 OR 1e767f079ae0982da11f2b7964745289 OR 52897d02af0f7658e64e0db6af537dc2 OR 83791bb6ee1de2927c90556e46e7cfe1 OR b7cbb79edd04c32dc46e23407d0c4139 OR b0a35d8ed2d852230265bff39e57d9e5 OR 5ecff6d766ec3fcce9208c3e37f36306 OR 2c8b9d2885543d7ade3cae98225e263b OR 4b6b86c7fec1c574706cecedf44abded OR 187044596bc1328efa0ed636d8aa4a5c OR d240f06e98c8d3e647cbf4d442d79475 OR 6662c390b2bbbd291ec7987388fc75d7 OR 1c024e599ac055312a4ab75b3950040a OR ba7bb65634ce1e30c1e5415be3d1db1d OR b505d65721bb2453d5039a389113b566 OR b269894f434657db2b15949641a67532
  23.  
  24. # TAGS ##########################################################
  25. #
  26. # 1. Add this to your tag.conf and check if the tag appears in Settings > Tags
  27. # 2. Search your log files like this: index=windows_server tag=regin
  28.  
  29. [_raw=usbclass.sys]
  30. regin = enabled
  31.  
  32. [_raw=adpu160.sys]
  33. regin = enabled
  34.  
  35. [_raw=msrdc64.dat]
  36. regin = enabled
  37.  
  38. [_raw=msdcsvc.dat]
  39. regin = enabled
  40.  
  41. [_raw=SystemAudit.Evt]
  42. regin = enabled
  43.  
  44. [_raw=SecurityAudit.Evt]
  45. regin = enabled
  46.  
  47. [_raw=SystemLog.evt]
  48. regin = enabled
  49.  
  50. [_raw=ApplicationLog.evt]
  51. regin = enabled
  52.  
  53. [_raw=%5Cime%5Cimesc5%5Cdicts%5Cpintlgbs.imd]
  54. regin = enabled
  55.  
  56. [_raw=%5Cime%5Cimesc5%5Cdicts%5Cpintlgbp.imd]
  57. regin = enabled
  58.  
  59. [_raw=%5CSystem32%5Cwinhttpc.dll]
  60. regin = enabled
  61.  
  62. [_raw=%5CSystem32%5Cwshnetc.dll]
  63. regin = enabled
  64.  
  65. [_raw=%5CSysWow64%5Cwshnetc.dll]
  66. regin = enabled
  67.  
  68. [_raw=svcstat.exe]
  69. regin = enabled
  70.  
  71. [_raw=svcsstat.exe]
  72. regin = enabled
  73.  
  74. [_raw=IME%5CIMESC5%5CDICTS%5CPINTLGBP.IMD]
  75. regin = enabled
  76.  
  77. [_raw=wsharp.dll]
  78. regin = enabled
  79.  
  80. [_raw=wshnetc.dll]
  81. regin = enabled
  82.  
  83. [_raw=pchealth%5Chelpctr%5CDatabase%5Ccdata.dat]
  84. regin = enabled
  85.  
  86. [_raw=pchealth%5Chelpctr%5CDatabase%5Ccdata.edb]
  87. regin = enabled
  88.  
  89. [_raw=Windows%5CPanther%5Csetup.etl.000]
  90. regin = enabled
  91.  
  92. [_raw=System32%5Cwbem%5Crepository%5CINDEX2.DATA]
  93. regin = enabled
  94.  
  95. [_raw=System32%5Cwbem%5Crepository%5COBJECTS2.DATA]
  96. regin = enabled
  97.  
  98. [_raw=dnscache.dat]
  99. regin = enabled
  100.  
  101. [_raw=mregnx.dat]
  102. regin = enabled
  103.  
  104. [_raw=displn32.dat]
  105. regin = enabled
  106.  
  107. [_raw=dmdskwk.dat]
  108. regin = enabled
  109.  
  110. [_raw=nvwrsnu.dat]
  111. regin = enabled
  112.  
  113. [_raw=tapiscfg.dat]
  114. regin = enabled
  115.  
  116. [_raw=d240f06e98c8d3e647cbf4d442d79475]
  117. regin = enabled
  118.  
  119. [_raw=db405ad775ac887a337b02ea8b07fddc]
  120. regin = enabled
  121.  
  122. [_raw=01c2f321b6bfdb9473c079b0797567ba]
  123. regin = enabled
  124.  
  125. [_raw=4b6b86c7fec1c574706cecedf44abded]
  126. regin = enabled
  127.  
  128. [_raw=b505d65721bb2453d5039a389113b566]
  129. regin = enabled
  130.  
  131. [_raw=ba7bb65634ce1e30c1e5415be3d1db1d]
  132. regin = enabled
  133.  
  134. [_raw=22bfc970f707fd775d49e875b63c2f0c]
  135. regin = enabled
  136.  
  137. [_raw=2c8b9d2885543d7ade3cae98225e263b]
  138. regin = enabled
  139.  
  140. [_raw=47d0e8f9d7a6429920329207a32ecc2e]
  141. regin = enabled
  142.  
  143. [_raw=bfbe8c3ee78750c3a520480700e440f8]
  144. regin = enabled
  145.  
  146. [_raw=744c07e886497f7b68f6f7fe57b7ab54]
  147. regin = enabled
  148.  
  149. [_raw=b29ca4f22ae7b7b25f79c1d4a421139d]
  150. regin = enabled
  151.  
  152. [_raw=1352a9210c8d9120f55f98f90fa5fc5c]
  153. regin = enabled
  154.  
  155. [_raw=7137720651a55fb8978138c8bf36f00f]
  156. regin = enabled
  157.  
  158. [_raw=b269894f434657db2b15949641a67532]
  159. regin = enabled
  160.  
  161. [_raw=187044596bc1328efa0ed636d8aa4a5c]
  162. regin = enabled
  163.  
  164. [_raw=ffb0b9b5b610191051a7bdf0806e1e47]
  165. regin = enabled
  166.  
  167. [_raw=26297dc3cd0b688de3b846983c5385e5]
  168. regin = enabled
  169.  
  170. [_raw=1c024e599ac055312a4ab75b3950040a]
  171. regin = enabled
  172.  
  173. [_raw=148c1bb9d405d717252c77593aff4bd8]
  174. regin = enabled
  175.  
  176. [_raw=6662c390b2bbbd291ec7987388fc75d7]
  177. regin = enabled
  178.  
  179. [_raw=049436bb90f71cf38549817d9b90e2da]
  180. regin = enabled
  181.  
  182. [_raw=06665b96e293b23acc80451abb413e50]
  183. regin = enabled
  184.  
  185. [_raw=e97f6268c7b5f2f8844e2c1bfaae72c8]
  186. regin = enabled
  187.  
  188. [_raw=ffb0b9b5b610191051a7bdf0806e1e47]
  189. regin = enabled
  190.  
  191. [_raw=bfbe8c3ee78750c3a520480700e440f8]
  192. regin = enabled
  193.  
  194. [_raw=b29ca4f22ae7b7b25f79c1d4a421139d]
  195. regin = enabled
  196.  
  197. [_raw=06665b96e293b23acc80451abb413e50]
  198. regin = enabled
  199.  
  200. [_raw=c1febbf853b0928c702ad3d38016bb36]
  201. regin = enabled
  202.  
  203. [_raw=02c5c3983983d15405875894cab47bac]
  204. regin = enabled
  205.  
  206. [_raw=85bd9de0382a13c09705c26a8306e22e]
  207. regin = enabled
  208.  
  209. [_raw=55b8dbe7bb0c37c05a30cc75742401a5]
  210. regin = enabled
  211.  
  212. [_raw=a8c032ba411c1f63220d7e7ce883ee8e]
  213. regin = enabled
  214.  
  215. [_raw=66afaa303e13faa4913eaad50f7237ea]
  216. regin = enabled
  217.  
  218. [_raw=0b26e313ed4a7ca6904b0e9369e5b957]
  219. regin = enabled
  220.  
  221. [_raw=50f12169cbaa73ed665f665e1891f59d]
  222. regin = enabled
  223.  
  224. [_raw=7ee9d65c02483fd8e12a915dd20430a9]
  225. regin = enabled
  226.  
  227. [_raw=1e767f079ae0982da11f2b7964745289]
  228. regin = enabled
  229.  
  230. [_raw=52897d02af0f7658e64e0db6af537dc2]
  231. regin = enabled
  232.  
  233. [_raw=83791bb6ee1de2927c90556e46e7cfe1]
  234. regin = enabled
  235.  
  236. [_raw=b7cbb79edd04c32dc46e23407d0c4139]
  237. regin = enabled
  238.  
  239. [_raw=b0a35d8ed2d852230265bff39e57d9e5]
  240. regin = enabled
  241.  
  242. [_raw=5ecff6d766ec3fcce9208c3e37f36306]
  243. regin = enabled
  244.  
  245. [_raw=2c8b9d2885543d7ade3cae98225e263b]
  246. regin = enabled
  247.  
  248. [_raw=4b6b86c7fec1c574706cecedf44abded]
  249. regin = enabled
  250.  
  251. [_raw=187044596bc1328efa0ed636d8aa4a5c]
  252. regin = enabled
  253.  
  254. [_raw=d240f06e98c8d3e647cbf4d442d79475]
  255. regin = enabled
  256.  
  257. [_raw=6662c390b2bbbd291ec7987388fc75d7]
  258. regin = enabled
  259.  
  260. [_raw=1c024e599ac055312a4ab75b3950040a]
  261. regin = enabled
  262.  
  263. [_raw=ba7bb65634ce1e30c1e5415be3d1db1d]
  264. regin = enabled
  265.  
  266. [_raw=b505d65721bb2453d5039a389113b566]
  267. regin = enabled
  268.  
  269. [_raw=b269894f434657db2b15949641a67532]
  270. regin = enabled
RAW Paste Data