From 39f25c63466035bc592aba34c289d298c390a3b3 Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:16:20 -0600 Subject: [PATCH 1/5] lotus blossom round 2 --- ...system_information_discovery_detection.yml | 5 +- .../system_user_discovery_with_whoami.yml | 5 +- ...nder_submission_wizard_dll_sideloading.yml | 68 +++++++++++++++ .../windows_bluetoothservice_persistence.yml | 76 ++++++++++++++++ ...nder_submission_wizard_dll_sideloading.yml | 55 ++++++++++++ .../windows_tinycc_shellcode_execution.yml | 86 +++++++++++++++++++ .../windows_wmic_systeminfo_discovery.yml | 5 +- stories/lotus_blossom_chrysalis_backdoor.yml | 20 +++++ 8 files changed, 314 insertions(+), 6 deletions(-) create mode 100644 detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml create mode 100644 detections/endpoint/windows_bluetoothservice_persistence.yml create mode 100644 detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml create mode 100644 detections/endpoint/windows_tinycc_shellcode_execution.yml create mode 100644 stories/lotus_blossom_chrysalis_backdoor.yml diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 7f7c154094..e34c0507dd 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-03-12' author: Patrick Bareiss, Splunk status: production type: TTP @@ -45,6 +45,7 @@ tags: - Interlock Ransomware - LAMEHUG - NetSupport RMM Tool Abuse + - Lotus Blossom Chrysalis Backdoor asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 9cd822ae11..71e383bf9c 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,7 +1,7 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-12' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -62,6 +62,7 @@ tags: - CISA AA23-347A - PHP-CGI RCE Attack on Japanese Organizations - LAMEHUG + - Lotus Blossom Chrysalis Backdoor asset_type: Endpoint mitre_attack_id: - T1033 diff --git a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml new file mode 100644 index 0000000000..65345f9691 --- /dev/null +++ b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml @@ -0,0 +1,68 @@ +name: Windows Bitdefender Submission Wizard DLL Sideloading +id: f9593331-804c-4268-8b4c-2693c5ae786c +version: 2 +date: '2026-02-02' +author: Michael Haag, Splunk +status: production +type: TTP +description: | + Detects execution of rundll32 loading log.dll, as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious log.dll in %AppData%\Bluetooth and invoked it via rundll32.exe log.dll,LogInit to decrypt and execute shellcode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll; this detection focuses on the process-creation pattern (rundll32 with log.dll in command line) which is easier to deploy and test with EventID 1 and the Endpoint data model. +data_source: + - Sysmon EventID 1 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes + where `process_rundll32` AND Processes.process=*log.dll* + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: | + Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required. +known_false_positives: | + Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed. +references: + - https://attack.mitre.org/techniques/T1574/002/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://attack.mitre.org/groups/G0065/ +drilldown_searches: + - name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL abuse + risk_objects: + - field: dest + type: system + score: 85 + - field: user + type: user + score: 85 + threat_objects: + - field: process_name + type: process_name + - field: process + type: command +tags: + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1574.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_bluetoothservice_persistence.yml b/detections/endpoint/windows_bluetoothservice_persistence.yml new file mode 100644 index 0000000000..b810f12213 --- /dev/null +++ b/detections/endpoint/windows_bluetoothservice_persistence.yml @@ -0,0 +1,76 @@ +name: Windows BluetoothService Persistence +id: f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89 +version: 1 +date: '2026-02-02' +author: Michael Haag, Splunk +status: production +type: TTP +description: | + Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. + While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence. +data_source: + - Windows Event Log System 7045 +search: | + `wineventlog_system` EventCode=7045 + ServiceName IN ("BluetoothService", "Bluetooth Service") + ImagePath IN ("*\\AppData\\*", "*\\Users\\*\\Bluetooth\\*", "*\\Temp\\*", "*\\ProgramData\\*") + NOT ImagePath IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\Program Files*") + | stats count min(_time) as firstTime max(_time) as lastTime + by Computer, ServiceName, ImagePath, ServiceType, StartType, UserID + | rename Computer as dest, UserID as user_id + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: | + To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type. + + Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events. +known_false_positives: | + Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if: + + 1. Third-party Bluetooth software installs services in Program Files (excluded by this detection) + 2. Development or testing environments create test services + + The detection specifically targets user-writable directories (AppData, Temp) which are strong indicators of malicious activity. Allowlist known-good third-party Bluetooth software installation paths if needed. +references: + - https://attack.mitre.org/techniques/T1543/003/ + - https://attack.mitre.org/techniques/T1036/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Suspicious BluetoothService created on $dest$ with binary path $ImagePath$ in user-writable directory, indicating potential malware persistence + risk_objects: + - field: dest + type: system + score: 75 + threat_objects: + - field: ServiceName + type: service + - field: ImagePath + type: file_path +tags: + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1543.003 + - T1036 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log + sourcetype: XmlWinEventLog:System + source: XmlWinEventLog:System diff --git a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml new file mode 100644 index 0000000000..a81e0286f7 --- /dev/null +++ b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml @@ -0,0 +1,55 @@ +name: Windows Sysmon Bitdefender Submission Wizard DLL Sideloading +id: a1b2c3d4-e5f6-4789-a012-3456789abcde +version: 1 +date: '2026-02-02' +author: Michael Haag, Splunk +status: experimental +type: TTP +description: | + Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events. Same Lotus Blossom Chrysalis technique as the process-creation detection but uses ImageLoad for higher precision. Marked experimental because it requires Sysmon ImageLoad and test datasets may only include process creation. +data_source: + - Sysmon EventID 7 +search: '`sysmon` EventCode=7 (Image IN ("*\\\\BDSubmit.exe", "*\\\\bdsw.exe", "*\\\\BluetoothService.exe") OR OriginalFileName IN ("BDSubmit.exe", "bdsw.exe")) ImageLoaded="*\\\\log.dll" NOT (ImageLoaded IN ("*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\Program Files*", "*\\\\Program Files (x86)*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SignatureStatus, User, OriginalFileName, loaded_file, loaded_file_path, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +how_to_implement: | + Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable. +known_false_positives: | + Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed. +references: + - https://attack.mitre.org/techniques/T1574/002/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://attack.mitre.org/groups/G0065/ +drilldown_searches: + - name: View the detection results for - "$dest$" and "$User$" + search: '%original_detection_search% | search dest = "$dest$" User = "$User$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$User$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Bitdefender Submission Wizard loaded log.dll from a non-standard path on $dest$ by user $User$, indicating DLL side-loading + risk_objects: + - field: dest + type: system + score: 85 + - field: User + type: user + score: 85 + threat_objects: + - field: Image + type: process_name + - field: ImageLoaded + type: file_name +tags: + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1574.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] diff --git a/detections/endpoint/windows_tinycc_shellcode_execution.yml b/detections/endpoint/windows_tinycc_shellcode_execution.yml new file mode 100644 index 0000000000..37ee439caf --- /dev/null +++ b/detections/endpoint/windows_tinycc_shellcode_execution.yml @@ -0,0 +1,86 @@ +name: Windows TinyCC Shellcode Execution +id: fdb6774e-e465-4912-86e3-63cf9ab91491 +version: 1 +date: '2026-02-02' +author: Michael Haag, Splunk +status: production +type: TTP +description: | + Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run. + TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes + where (Processes.process_name="svchost.exe" OR Processes.process_name="tcc.exe") + AND (Processes.process="* -nostdlib*" AND Processes.process="* -run*") + AND (Processes.process="*.c" OR Processes.process="*conf.c*") + AND NOT Processes.process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*") + by Processes.action Processes.dest Processes.user Processes.process Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process_name Processes.process_id Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_integrity_level Processes.process_path Processes.original_file_name Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: | + To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration. + + The detection relies on the OriginalFileName field being populated to distinguish between legitimate svchost.exe and renamed tcc.exe binaries. Ensure Sysmon is configured to capture full command-line arguments. +known_false_positives: | + Legitimate TinyCC usage by developers may trigger this detection if executed from non-standard locations. However, the combination of: + 1. Renamed binary (svchost.exe with tcc.exe OriginalFileName) + 2. Execution from user-writable directories (AppData, Temp, ProgramData) + 3. Suspicious flags (-nostdlib -run) with .c file execution + + is highly suspicious and warrants investigation. Legitimate TinyCC usage typically occurs from Program Files or developer directories with standard compilation workflows. + + Allowlist known development environments if needed. +references: + - https://attack.mitre.org/techniques/T1059/003/ + - https://attack.mitre.org/techniques/T1027/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://github.com/phoenixthrush/Tiny-C-Compiler +drilldown_searches: + - name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: TinyCC compiler abuse detected on $dest$ by user $user$ executing shellcode from $process_path$, indicating potential malicious code execution + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: + - field: process_name + type: process_name + - field: process_path + type: file_path +tags: + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1059.003 + - T1027 + - T1036 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index e6a5203ce4..86c2a71a7b 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic Systeminfo Discovery id: 97937ece-cb13-4dbc-9684-c0dc3afd400a -version: 3 -date: '2026-03-10' +version: 4 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -54,6 +54,7 @@ rba: tags: analytic_story: - LAMEHUG + - Lotus Blossom Chrysalis Backdoor asset_type: Endpoint mitre_attack_id: - T1082 diff --git a/stories/lotus_blossom_chrysalis_backdoor.yml b/stories/lotus_blossom_chrysalis_backdoor.yml new file mode 100644 index 0000000000..34f83745a3 --- /dev/null +++ b/stories/lotus_blossom_chrysalis_backdoor.yml @@ -0,0 +1,20 @@ +name: Lotus Blossom Chrysalis Backdoor +id: 4c58f09f-f76f-4261-bbf8-3be406d2fbad +version: 1 +date: '2026-02-03' +author: Michael Haag, Splunk +status: production +description: Leverage searches that allow you to detect and investigate activities related to Lotus Blossom's Chrysalis backdoor supply chain attack. Monitor for DLL side-loading abuse of Bitdefender Submission Wizard, TinyCC shellcode execution with suspicious command-line flags, BluetoothService persistence in user directories, and system information collection via whoami/systeminfo commands. Investigate unusual process execution patterns, NSIS installer deployments to suspicious paths, and malicious service installations. Combining behavioral detections with threat intelligence enables early identification of Lotus Blossom tradecraft, including custom loaders, Microsoft Warbird abuse, and C2 communications mimicking legitimate API traffic patterns. +narrative: Lotus Blossom (Billbug) is a Chinese APT group active since 2009, targeting government, telecom, aviation, and critical infrastructure sectors across Southeast Asia and Central America. In June 2025, the group compromised Notepad++ hosting provider infrastructure, redirecting update traffic to malicious servers until December 2025. Kaspersky and Rapid7 identified three distinct infection chains delivering the custom Chrysalis backdoor. Chain #1 exploited ProShow software vulnerability to launch Metasploit downloaders. Chain #2 abused Lua interpreter to execute shellcode via EnumWindowStationsW. Chain #3 deployed DLL side-loading using renamed Bitdefender Submission Wizard (BluetoothService.exe) to load encrypted shellcode. All chains collected system information via whoami, tasklist, systeminfo, and netstat commands, exfiltrating results to temp.sh hosting service. Alternative loaders include TinyCC abuse for shellcode compilation and Microsoft Warbird exploitation. The malware establishes persistence through Windows services while C2 communications mimic legitimate API traffic. Victims included government organizations in the Philippines, financial institutions in El Salvador, and IT service providers in Vietnam. Lotus Blossom also deploys Cobalt Strike beacons and Metasploit shellcode as secondary payloads. Splunk ESCU provides detection coverage for these commodity frameworks in the Cobalt Strike and Compromised Windows Host analytic stories. +references: +- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ +- https://securelist.com/notepad-supply-chain-attack/118708/ +- https://attack.mitre.org/groups/G0065/ +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From de35f8cb14086687b8041fdd330a563691960144 Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:21:34 -0600 Subject: [PATCH 2/5] filter --- .../windows_bitdefender_submission_wizard_dll_sideloading.yml | 1 + detections/endpoint/windows_bluetoothservice_persistence.yml | 1 + ...ows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml | 2 +- detections/endpoint/windows_tinycc_shellcode_execution.yml | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml index 65345f9691..a640ed06b7 100644 --- a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml @@ -17,6 +17,7 @@ search: | | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_bitdefender_submission_wizard_dll_sideloading_filter` how_to_implement: | Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required. known_false_positives: | diff --git a/detections/endpoint/windows_bluetoothservice_persistence.yml b/detections/endpoint/windows_bluetoothservice_persistence.yml index b810f12213..6147f4b0c7 100644 --- a/detections/endpoint/windows_bluetoothservice_persistence.yml +++ b/detections/endpoint/windows_bluetoothservice_persistence.yml @@ -20,6 +20,7 @@ search: | | rename Computer as dest, UserID as user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_bluetoothservice_persistence_filter` how_to_implement: | To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type. diff --git a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml index a81e0286f7..4fe4b39bce 100644 --- a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml @@ -9,7 +9,7 @@ description: | Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events. Same Lotus Blossom Chrysalis technique as the process-creation detection but uses ImageLoad for higher precision. Marked experimental because it requires Sysmon ImageLoad and test datasets may only include process creation. data_source: - Sysmon EventID 7 -search: '`sysmon` EventCode=7 (Image IN ("*\\\\BDSubmit.exe", "*\\\\bdsw.exe", "*\\\\BluetoothService.exe") OR OriginalFileName IN ("BDSubmit.exe", "bdsw.exe")) ImageLoaded="*\\\\log.dll" NOT (ImageLoaded IN ("*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\Program Files*", "*\\\\Program Files (x86)*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SignatureStatus, User, OriginalFileName, loaded_file, loaded_file_path, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +search: '`sysmon` EventCode=7 (Image IN ("*\\\\BDSubmit.exe", "*\\\\bdsw.exe", "*\\\\BluetoothService.exe") OR OriginalFileName IN ("BDSubmit.exe", "bdsw.exe")) ImageLoaded="*\\\\log.dll" NOT (ImageLoaded IN ("*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\Program Files*", "*\\\\Program Files (x86)*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SignatureStatus, User, OriginalFileName, loaded_file, loaded_file_path, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sysmon_bitdefender_submission_wizard_dll_sideloading_filter`' how_to_implement: | Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable. known_false_positives: | diff --git a/detections/endpoint/windows_tinycc_shellcode_execution.yml b/detections/endpoint/windows_tinycc_shellcode_execution.yml index 37ee439caf..d9168c32e6 100644 --- a/detections/endpoint/windows_tinycc_shellcode_execution.yml +++ b/detections/endpoint/windows_tinycc_shellcode_execution.yml @@ -23,6 +23,7 @@ search: | | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `windows_tinycc_shellcode_execution_filter` how_to_implement: | To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration. From 08540e76b31d56a96ce5d3daa8f82f5c27b0be13 Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Thu, 12 Mar 2026 10:54:58 -0600 Subject: [PATCH 3/5] fix --- .../windows_bitdefender_submission_wizard_dll_sideloading.yml | 2 +- ...ows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml index a640ed06b7..ee4cc12813 100644 --- a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml @@ -54,7 +54,7 @@ tags: - Lotus Blossom Chrysalis Backdoor asset_type: Endpoint mitre_attack_id: - - T1574.002 + - T1574 product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml index 4fe4b39bce..a747e1cb7e 100644 --- a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml @@ -46,7 +46,7 @@ tags: - Lotus Blossom Chrysalis Backdoor asset_type: Endpoint mitre_attack_id: - - T1574.002 + - T1574 product: - Splunk Enterprise - Splunk Enterprise Security From 30f4a26ce081189dff686d75ed481c75fd843ab4 Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:14:56 -0600 Subject: [PATCH 4/5] moar --- .../system_information_discovery_detection.yml | 4 ++-- .../endpoint/system_user_discovery_with_whoami.yml | 4 ++-- .../endpoint/windows_bluetoothservice_persistence.yml | 10 +++++----- .../endpoint/windows_tinycc_shellcode_execution.yml | 10 +++++----- .../endpoint/windows_wmic_systeminfo_discovery.yml | 4 ++-- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index e34c0507dd..85481ddb7b 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 15 -date: '2026-03-12' +version: 14 +date: '2026-03-10' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 71e383bf9c..b1b6ad213b 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,7 +1,7 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 10 -date: '2026-03-12' +version: 9 +date: '2026-03-10' author: Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_bluetoothservice_persistence.yml b/detections/endpoint/windows_bluetoothservice_persistence.yml index 6147f4b0c7..fe122c7051 100644 --- a/detections/endpoint/windows_bluetoothservice_persistence.yml +++ b/detections/endpoint/windows_bluetoothservice_persistence.yml @@ -11,23 +11,23 @@ description: | data_source: - Windows Event Log System 7045 search: | - `wineventlog_system` EventCode=7045 + `wineventlog_system` EventCode=7045 ServiceName IN ("BluetoothService", "Bluetooth Service") ImagePath IN ("*\\AppData\\*", "*\\Users\\*\\Bluetooth\\*", "*\\Temp\\*", "*\\ProgramData\\*") NOT ImagePath IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\Program Files*") - | stats count min(_time) as firstTime max(_time) as lastTime + | stats count min(_time) as firstTime max(_time) as lastTime by Computer, ServiceName, ImagePath, ServiceType, StartType, UserID | rename Computer as dest, UserID as user_id - | `security_content_ctime(firstTime)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bluetoothservice_persistence_filter` how_to_implement: | To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type. - + Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events. known_false_positives: | Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if: - + 1. Third-party Bluetooth software installs services in Program Files (excluded by this detection) 2. Development or testing environments create test services diff --git a/detections/endpoint/windows_tinycc_shellcode_execution.yml b/detections/endpoint/windows_tinycc_shellcode_execution.yml index d9168c32e6..37a8ed99fd 100644 --- a/detections/endpoint/windows_tinycc_shellcode_execution.yml +++ b/detections/endpoint/windows_tinycc_shellcode_execution.yml @@ -12,8 +12,8 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime - from datamodel=Endpoint.Processes + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes where (Processes.process_name="svchost.exe" OR Processes.process_name="tcc.exe") AND (Processes.process="* -nostdlib*" AND Processes.process="* -run*") AND (Processes.process="*.c" OR Processes.process="*conf.c*") @@ -26,16 +26,16 @@ search: | | `windows_tinycc_shellcode_execution_filter` how_to_implement: | To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration. - + The detection relies on the OriginalFileName field being populated to distinguish between legitimate svchost.exe and renamed tcc.exe binaries. Ensure Sysmon is configured to capture full command-line arguments. known_false_positives: | Legitimate TinyCC usage by developers may trigger this detection if executed from non-standard locations. However, the combination of: 1. Renamed binary (svchost.exe with tcc.exe OriginalFileName) 2. Execution from user-writable directories (AppData, Temp, ProgramData) 3. Suspicious flags (-nostdlib -run) with .c file execution - + is highly suspicious and warrants investigation. Legitimate TinyCC usage typically occurs from Program Files or developer directories with standard compilation workflows. - + Allowlist known development environments if needed. references: - https://attack.mitre.org/techniques/T1059/003/ diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index 86c2a71a7b..266d513ce1 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic Systeminfo Discovery id: 97937ece-cb13-4dbc-9684-c0dc3afd400a -version: 4 -date: '2026-03-12' +version: 3 +date: '2026-03-10' author: Teoderick Contreras, Splunk status: production type: Anomaly From 752930e5f07506e26a677b0f45f2d44b6c41cd1d Mon Sep 17 00:00:00 2001 From: MHaggis <5632822+MHaggis@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:25:33 -0600 Subject: [PATCH 5/5] Lotus Blossom Chrysalis: fix validation (filter macros in search, T1574, yamlfmt) Made-with: Cursor --- ...nder_submission_wizard_dll_sideloading.yml | 104 +++++++------- .../windows_bluetoothservice_persistence.yml | 116 +++++++-------- ...nder_submission_wizard_dll_sideloading.yml | 78 +++++----- .../windows_tinycc_shellcode_execution.yml | 134 +++++++++--------- 4 files changed, 216 insertions(+), 216 deletions(-) diff --git a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml index ee4cc12813..a3ceffb958 100644 --- a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml @@ -6,64 +6,64 @@ author: Michael Haag, Splunk status: production type: TTP description: | - Detects execution of rundll32 loading log.dll, as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious log.dll in %AppData%\Bluetooth and invoked it via rundll32.exe log.dll,LogInit to decrypt and execute shellcode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll; this detection focuses on the process-creation pattern (rundll32 with log.dll in command line) which is easier to deploy and test with EventID 1 and the Endpoint data model. + Detects execution of rundll32 loading log.dll, as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious log.dll in %AppData%\Bluetooth and invoked it via rundll32.exe log.dll,LogInit to decrypt and execute shellcode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll; this detection focuses on the process-creation pattern (rundll32 with log.dll in command line) which is easier to deploy and test with EventID 1 and the Endpoint data model. data_source: - - Sysmon EventID 1 + - Sysmon EventID 1 search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime - from datamodel=Endpoint.Processes - where `process_rundll32` AND Processes.process=*log.dll* - by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_bitdefender_submission_wizard_dll_sideloading_filter` + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes + where `process_rundll32` AND Processes.process=*log.dll* + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_bitdefender_submission_wizard_dll_sideloading_filter` how_to_implement: | - Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required. + Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required. known_false_positives: | - Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed. + Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed. references: - - https://attack.mitre.org/techniques/T1574/002/ - - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ - - https://attack.mitre.org/groups/G0065/ + - https://attack.mitre.org/techniques/T1574/002/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://attack.mitre.org/groups/G0065/ drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL abuse - risk_objects: - - field: dest - type: system - score: 85 - - field: user - type: user - score: 85 - threat_objects: - - field: process_name - type: process_name - - field: process - type: command + message: Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL abuse + risk_objects: + - field: dest + type: system + score: 85 + - field: user + type: user + score: 85 + threat_objects: + - field: process_name + type: process_name + - field: process + type: command tags: - analytic_story: - - Lotus Blossom Chrysalis Backdoor - asset_type: Endpoint - mitre_attack_id: - - T1574 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1574 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log - sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/detections/endpoint/windows_bluetoothservice_persistence.yml b/detections/endpoint/windows_bluetoothservice_persistence.yml index fe122c7051..3104475687 100644 --- a/detections/endpoint/windows_bluetoothservice_persistence.yml +++ b/detections/endpoint/windows_bluetoothservice_persistence.yml @@ -6,72 +6,72 @@ author: Michael Haag, Splunk status: production type: TTP description: | - Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. - While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence. + Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory. + While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence. data_source: - - Windows Event Log System 7045 + - Windows Event Log System 7045 search: | - `wineventlog_system` EventCode=7045 - ServiceName IN ("BluetoothService", "Bluetooth Service") - ImagePath IN ("*\\AppData\\*", "*\\Users\\*\\Bluetooth\\*", "*\\Temp\\*", "*\\ProgramData\\*") - NOT ImagePath IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\Program Files*") - | stats count min(_time) as firstTime max(_time) as lastTime - by Computer, ServiceName, ImagePath, ServiceType, StartType, UserID - | rename Computer as dest, UserID as user_id - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_bluetoothservice_persistence_filter` + `wineventlog_system` EventCode=7045 + ServiceName IN ("BluetoothService", "Bluetooth Service") + ImagePath IN ("*\\AppData\\*", "*\\Users\\*\\Bluetooth\\*", "*\\Temp\\*", "*\\ProgramData\\*") + NOT ImagePath IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\Program Files*") + | stats count min(_time) as firstTime max(_time) as lastTime + by Computer, ServiceName, ImagePath, ServiceType, StartType, UserID + | rename Computer as dest, UserID as user_id + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_bluetoothservice_persistence_filter` how_to_implement: | - To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type. + To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type. - Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events. + Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events. known_false_positives: | - Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if: + Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if: - 1. Third-party Bluetooth software installs services in Program Files (excluded by this detection) - 2. Development or testing environments create test services - - The detection specifically targets user-writable directories (AppData, Temp) which are strong indicators of malicious activity. Allowlist known-good third-party Bluetooth software installation paths if needed. + 1. Third-party Bluetooth software installs services in Program Files (excluded by this detection) + 2. Development or testing environments create test services + + The detection specifically targets user-writable directories (AppData, Temp) which are strong indicators of malicious activity. Allowlist known-good third-party Bluetooth software installation paths if needed. references: - - https://attack.mitre.org/techniques/T1543/003/ - - https://attack.mitre.org/techniques/T1036/ - - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://attack.mitre.org/techniques/T1543/003/ + - https://attack.mitre.org/techniques/T1036/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ drilldown_searches: - - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: Suspicious BluetoothService created on $dest$ with binary path $ImagePath$ in user-writable directory, indicating potential malware persistence - risk_objects: - - field: dest - type: system - score: 75 - threat_objects: - - field: ServiceName - type: service - - field: ImagePath - type: file_path + message: Suspicious BluetoothService created on $dest$ with binary path $ImagePath$ in user-writable directory, indicating potential malware persistence + risk_objects: + - field: dest + type: system + score: 75 + threat_objects: + - field: ServiceName + type: service + - field: ImagePath + type: file_path tags: - analytic_story: - - Lotus Blossom Chrysalis Backdoor - asset_type: Endpoint - mitre_attack_id: - - T1543.003 - - T1036 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1543.003 + - T1036 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log - sourcetype: XmlWinEventLog:System - source: XmlWinEventLog:System + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log + sourcetype: XmlWinEventLog:System + source: XmlWinEventLog:System diff --git a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml index a747e1cb7e..5de354cc88 100644 --- a/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml +++ b/detections/endpoint/windows_sysmon_bitdefender_submission_wizard_dll_sideloading.yml @@ -6,50 +6,50 @@ author: Michael Haag, Splunk status: experimental type: TTP description: | - Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events. Same Lotus Blossom Chrysalis technique as the process-creation detection but uses ImageLoad for higher precision. Marked experimental because it requires Sysmon ImageLoad and test datasets may only include process creation. + Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events. Same Lotus Blossom Chrysalis technique as the process-creation detection but uses ImageLoad for higher precision. Marked experimental because it requires Sysmon ImageLoad and test datasets may only include process creation. data_source: - - Sysmon EventID 7 + - Sysmon EventID 7 search: '`sysmon` EventCode=7 (Image IN ("*\\\\BDSubmit.exe", "*\\\\bdsw.exe", "*\\\\BluetoothService.exe") OR OriginalFileName IN ("BDSubmit.exe", "bdsw.exe")) ImageLoaded="*\\\\log.dll" NOT (ImageLoaded IN ("*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\Program Files*", "*\\\\Program Files (x86)*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SignatureStatus, User, OriginalFileName, loaded_file, loaded_file_path, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sysmon_bitdefender_submission_wizard_dll_sideloading_filter`' how_to_implement: | - Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable. + Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable. known_false_positives: | - Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed. + Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed. references: - - https://attack.mitre.org/techniques/T1574/002/ - - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ - - https://attack.mitre.org/groups/G0065/ + - https://attack.mitre.org/techniques/T1574/002/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://attack.mitre.org/groups/G0065/ drilldown_searches: - - name: View the detection results for - "$dest$" and "$User$" - search: '%original_detection_search% | search dest = "$dest$" User = "$User$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$User$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" and "$User$" + search: '%original_detection_search% | search dest = "$dest$" User = "$User$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$User$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: Bitdefender Submission Wizard loaded log.dll from a non-standard path on $dest$ by user $User$, indicating DLL side-loading - risk_objects: - - field: dest - type: system - score: 85 - - field: User - type: user - score: 85 - threat_objects: - - field: Image - type: process_name - - field: ImageLoaded - type: file_name + message: Bitdefender Submission Wizard loaded log.dll from a non-standard path on $dest$ by user $User$, indicating DLL side-loading + risk_objects: + - field: dest + type: system + score: 85 + - field: User + type: user + score: 85 + threat_objects: + - field: Image + type: process_name + - field: ImageLoaded + type: file_name tags: - analytic_story: - - Lotus Blossom Chrysalis Backdoor - asset_type: Endpoint - mitre_attack_id: - - T1574 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1574 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] diff --git a/detections/endpoint/windows_tinycc_shellcode_execution.yml b/detections/endpoint/windows_tinycc_shellcode_execution.yml index 37a8ed99fd..5d715b53bb 100644 --- a/detections/endpoint/windows_tinycc_shellcode_execution.yml +++ b/detections/endpoint/windows_tinycc_shellcode_execution.yml @@ -6,82 +6,82 @@ author: Michael Haag, Splunk status: production type: TTP description: | - Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run. - TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity. + Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run. + TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity. data_source: - - Sysmon EventID 1 - - Windows Event Log Security 4688 + - Sysmon EventID 1 + - Windows Event Log Security 4688 search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime - from datamodel=Endpoint.Processes - where (Processes.process_name="svchost.exe" OR Processes.process_name="tcc.exe") - AND (Processes.process="* -nostdlib*" AND Processes.process="* -run*") - AND (Processes.process="*.c" OR Processes.process="*conf.c*") - AND NOT Processes.process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*") - by Processes.action Processes.dest Processes.user Processes.process Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process_name Processes.process_id Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_integrity_level Processes.process_path Processes.original_file_name Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_tinycc_shellcode_execution_filter` + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Endpoint.Processes + where (Processes.process_name="svchost.exe" OR Processes.process_name="tcc.exe") + AND (Processes.process="* -nostdlib*" AND Processes.process="* -run*") + AND (Processes.process="*.c" OR Processes.process="*conf.c*") + AND NOT Processes.process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*") + by Processes.action Processes.dest Processes.user Processes.process Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process_name Processes.process_id Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_integrity_level Processes.process_path Processes.original_file_name Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_tinycc_shellcode_execution_filter` how_to_implement: | - To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration. + To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration. - The detection relies on the OriginalFileName field being populated to distinguish between legitimate svchost.exe and renamed tcc.exe binaries. Ensure Sysmon is configured to capture full command-line arguments. + The detection relies on the OriginalFileName field being populated to distinguish between legitimate svchost.exe and renamed tcc.exe binaries. Ensure Sysmon is configured to capture full command-line arguments. known_false_positives: | - Legitimate TinyCC usage by developers may trigger this detection if executed from non-standard locations. However, the combination of: - 1. Renamed binary (svchost.exe with tcc.exe OriginalFileName) - 2. Execution from user-writable directories (AppData, Temp, ProgramData) - 3. Suspicious flags (-nostdlib -run) with .c file execution + Legitimate TinyCC usage by developers may trigger this detection if executed from non-standard locations. However, the combination of: + 1. Renamed binary (svchost.exe with tcc.exe OriginalFileName) + 2. Execution from user-writable directories (AppData, Temp, ProgramData) + 3. Suspicious flags (-nostdlib -run) with .c file execution - is highly suspicious and warrants investigation. Legitimate TinyCC usage typically occurs from Program Files or developer directories with standard compilation workflows. + is highly suspicious and warrants investigation. Legitimate TinyCC usage typically occurs from Program Files or developer directories with standard compilation workflows. - Allowlist known development environments if needed. + Allowlist known development environments if needed. references: - - https://attack.mitre.org/techniques/T1059/003/ - - https://attack.mitre.org/techniques/T1027/ - - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ - - https://github.com/phoenixthrush/Tiny-C-Compiler + - https://attack.mitre.org/techniques/T1059/003/ + - https://attack.mitre.org/techniques/T1027/ + - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ + - https://github.com/phoenixthrush/Tiny-C-Compiler drilldown_searches: - - name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: TinyCC compiler abuse detected on $dest$ by user $user$ executing shellcode from $process_path$, indicating potential malicious code execution - risk_objects: - - field: dest - type: system - score: 80 - - field: user - type: user - score: 80 - threat_objects: - - field: process_name - type: process_name - - field: process_path - type: file_path + message: TinyCC compiler abuse detected on $dest$ by user $user$ executing shellcode from $process_path$, indicating potential malicious code execution + risk_objects: + - field: dest + type: system + score: 80 + - field: user + type: user + score: 80 + threat_objects: + - field: process_name + type: process_name + - field: process_path + type: file_path tags: - analytic_story: - - Lotus Blossom Chrysalis Backdoor - asset_type: Endpoint - mitre_attack_id: - - T1059.003 - - T1027 - - T1036 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] + analytic_story: + - Lotus Blossom Chrysalis Backdoor + asset_type: Endpoint + mitre_attack_id: + - T1059.003 + - T1027 + - T1036 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log - sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log + sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational