Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Splunk search/tags to detect Regin malware components in your log data
- #
- # We suppose that the backdoor samples published in reports by Symantec and Kaspersky are not in use anymore
- # and are already replaced by more sophisticated versions. We consider a successful detection with these tags
- # as a 'lucky shot'. Maybe you are able to prove a former infection with the help of your log files although
- # intelligence agencies have already removed their files and registry keys from the compromised systems.
- #
- # This search and tag definition includes IOCs for
- #
- # 1. File names
- # These may be detected in: Windows Eventlog if Process Monitoring is active, error reports, AV detections
- # 2. MD5 hashes
- # These may be detected in: Security software logs, incident response scanner logs
- #
- # Contact / False Positives / Feedback / Improvements
- # Twitter: @Malwrsignatures
- # SEARCH ########################################################
- #
- # Copy & Paste to Search or App
- usbclass.sys OR adpu160.sys OR msrdc64.dat OR msdcsvc.dat OR config\\SystemAudit.Evt OR config\\SecurityAudit.Evt OR config\\SystemLog.evt OR config\\ApplicationLog.evt OR ime\\imesc5\\dicts\\pintlgbs.imd OR ime\\imesc5\\dicts\\pintlgbp.imd OR winhttpc\.dll OR wshnetc.dll OR SysWow64\\wshnetc.dll OR svcstat\.exe OR svcsstat\.exe OR IME\\IMESC5\\DICTS\\PINTLGBP\.IMD OR wsharp\.dll OR wshnetc\.dll OR pchealth\\helpctr\\Database\\cdata.dat OR pchealth\\helpctr\\Database\\cdata.edb OR Windows\\Panther\\setup.etl.000 OR wbem\\repository\\INDEX2.DATA OR wbem\\repository\\OBJECTS2.DATA OR dnscache.dat OR mregnx.dat OR displn32.dat OR dmdskwk.dat OR nvwrsnu.dat OR tapiscfg.dat OR d240f06e98c8d3e647cbf4d442d79475 OR db405ad775ac887a337b02ea8b07fddc OR 01c2f321b6bfdb9473c079b0797567ba OR 4b6b86c7fec1c574706cecedf44abded OR b505d65721bb2453d5039a389113b566 OR ba7bb65634ce1e30c1e5415be3d1db1d OR 22bfc970f707fd775d49e875b63c2f0c OR 2c8b9d2885543d7ade3cae98225e263b OR 47d0e8f9d7a6429920329207a32ecc2e OR bfbe8c3ee78750c3a520480700e440f8 OR 744c07e886497f7b68f6f7fe57b7ab54 OR b29ca4f22ae7b7b25f79c1d4a421139d OR 1352a9210c8d9120f55f98f90fa5fc5c OR 7137720651a55fb8978138c8bf36f00f OR b269894f434657db2b15949641a67532 OR 187044596bc1328efa0ed636d8aa4a5c OR ffb0b9b5b610191051a7bdf0806e1e47 OR 26297dc3cd0b688de3b846983c5385e5 OR 1c024e599ac055312a4ab75b3950040a OR 148c1bb9d405d717252c77593aff4bd8 OR 6662c390b2bbbd291ec7987388fc75d7 OR 049436bb90f71cf38549817d9b90e2da OR 06665b96e293b23acc80451abb413e50 OR e97f6268c7b5f2f8844e2c1bfaae72c8 OR ffb0b9b5b610191051a7bdf0806e1e47 OR bfbe8c3ee78750c3a520480700e440f8 OR b29ca4f22ae7b7b25f79c1d4a421139d OR 06665b96e293b23acc80451abb413e50 OR c1febbf853b0928c702ad3d38016bb36 OR 02c5c3983983d15405875894cab47bac OR 85bd9de0382a13c09705c26a8306e22e OR 55b8dbe7bb0c37c05a30cc75742401a5 OR a8c032ba411c1f63220d7e7ce883ee8e OR 66afaa303e13faa4913eaad50f7237ea OR 0b26e313ed4a7ca6904b0e9369e5b957 OR 50f12169cbaa73ed665f665e1891f59d OR 7ee9d65c02483fd8e12a915dd20430a9 OR 1e767f079ae0982da11f2b7964745289 OR 52897d02af0f7658e64e0db6af537dc2 OR 83791bb6ee1de2927c90556e46e7cfe1 OR b7cbb79edd04c32dc46e23407d0c4139 OR b0a35d8ed2d852230265bff39e57d9e5 OR 5ecff6d766ec3fcce9208c3e37f36306 OR 2c8b9d2885543d7ade3cae98225e263b OR 4b6b86c7fec1c574706cecedf44abded OR 187044596bc1328efa0ed636d8aa4a5c OR d240f06e98c8d3e647cbf4d442d79475 OR 6662c390b2bbbd291ec7987388fc75d7 OR 1c024e599ac055312a4ab75b3950040a OR ba7bb65634ce1e30c1e5415be3d1db1d OR b505d65721bb2453d5039a389113b566 OR b269894f434657db2b15949641a67532
- # TAGS ##########################################################
- #
- # 1. Add this to your tag.conf and check if the tag appears in Settings > Tags
- # 2. Search your log files like this: index=windows_server tag=regin
- [_raw=usbclass.sys]
- regin = enabled
- [_raw=adpu160.sys]
- regin = enabled
- [_raw=msrdc64.dat]
- regin = enabled
- [_raw=msdcsvc.dat]
- regin = enabled
- [_raw=SystemAudit.Evt]
- regin = enabled
- [_raw=SecurityAudit.Evt]
- regin = enabled
- [_raw=SystemLog.evt]
- regin = enabled
- [_raw=ApplicationLog.evt]
- regin = enabled
- [_raw=%5Cime%5Cimesc5%5Cdicts%5Cpintlgbs.imd]
- regin = enabled
- [_raw=%5Cime%5Cimesc5%5Cdicts%5Cpintlgbp.imd]
- regin = enabled
- [_raw=%5CSystem32%5Cwinhttpc.dll]
- regin = enabled
- [_raw=%5CSystem32%5Cwshnetc.dll]
- regin = enabled
- [_raw=%5CSysWow64%5Cwshnetc.dll]
- regin = enabled
- [_raw=svcstat.exe]
- regin = enabled
- [_raw=svcsstat.exe]
- regin = enabled
- [_raw=IME%5CIMESC5%5CDICTS%5CPINTLGBP.IMD]
- regin = enabled
- [_raw=wsharp.dll]
- regin = enabled
- [_raw=wshnetc.dll]
- regin = enabled
- [_raw=pchealth%5Chelpctr%5CDatabase%5Ccdata.dat]
- regin = enabled
- [_raw=pchealth%5Chelpctr%5CDatabase%5Ccdata.edb]
- regin = enabled
- [_raw=Windows%5CPanther%5Csetup.etl.000]
- regin = enabled
- [_raw=System32%5Cwbem%5Crepository%5CINDEX2.DATA]
- regin = enabled
- [_raw=System32%5Cwbem%5Crepository%5COBJECTS2.DATA]
- regin = enabled
- [_raw=dnscache.dat]
- regin = enabled
- [_raw=mregnx.dat]
- regin = enabled
- [_raw=displn32.dat]
- regin = enabled
- [_raw=dmdskwk.dat]
- regin = enabled
- [_raw=nvwrsnu.dat]
- regin = enabled
- [_raw=tapiscfg.dat]
- regin = enabled
- [_raw=d240f06e98c8d3e647cbf4d442d79475]
- regin = enabled
- [_raw=db405ad775ac887a337b02ea8b07fddc]
- regin = enabled
- [_raw=01c2f321b6bfdb9473c079b0797567ba]
- regin = enabled
- [_raw=4b6b86c7fec1c574706cecedf44abded]
- regin = enabled
- [_raw=b505d65721bb2453d5039a389113b566]
- regin = enabled
- [_raw=ba7bb65634ce1e30c1e5415be3d1db1d]
- regin = enabled
- [_raw=22bfc970f707fd775d49e875b63c2f0c]
- regin = enabled
- [_raw=2c8b9d2885543d7ade3cae98225e263b]
- regin = enabled
- [_raw=47d0e8f9d7a6429920329207a32ecc2e]
- regin = enabled
- [_raw=bfbe8c3ee78750c3a520480700e440f8]
- regin = enabled
- [_raw=744c07e886497f7b68f6f7fe57b7ab54]
- regin = enabled
- [_raw=b29ca4f22ae7b7b25f79c1d4a421139d]
- regin = enabled
- [_raw=1352a9210c8d9120f55f98f90fa5fc5c]
- regin = enabled
- [_raw=7137720651a55fb8978138c8bf36f00f]
- regin = enabled
- [_raw=b269894f434657db2b15949641a67532]
- regin = enabled
- [_raw=187044596bc1328efa0ed636d8aa4a5c]
- regin = enabled
- [_raw=ffb0b9b5b610191051a7bdf0806e1e47]
- regin = enabled
- [_raw=26297dc3cd0b688de3b846983c5385e5]
- regin = enabled
- [_raw=1c024e599ac055312a4ab75b3950040a]
- regin = enabled
- [_raw=148c1bb9d405d717252c77593aff4bd8]
- regin = enabled
- [_raw=6662c390b2bbbd291ec7987388fc75d7]
- regin = enabled
- [_raw=049436bb90f71cf38549817d9b90e2da]
- regin = enabled
- [_raw=06665b96e293b23acc80451abb413e50]
- regin = enabled
- [_raw=e97f6268c7b5f2f8844e2c1bfaae72c8]
- regin = enabled
- [_raw=ffb0b9b5b610191051a7bdf0806e1e47]
- regin = enabled
- [_raw=bfbe8c3ee78750c3a520480700e440f8]
- regin = enabled
- [_raw=b29ca4f22ae7b7b25f79c1d4a421139d]
- regin = enabled
- [_raw=06665b96e293b23acc80451abb413e50]
- regin = enabled
- [_raw=c1febbf853b0928c702ad3d38016bb36]
- regin = enabled
- [_raw=02c5c3983983d15405875894cab47bac]
- regin = enabled
- [_raw=85bd9de0382a13c09705c26a8306e22e]
- regin = enabled
- [_raw=55b8dbe7bb0c37c05a30cc75742401a5]
- regin = enabled
- [_raw=a8c032ba411c1f63220d7e7ce883ee8e]
- regin = enabled
- [_raw=66afaa303e13faa4913eaad50f7237ea]
- regin = enabled
- [_raw=0b26e313ed4a7ca6904b0e9369e5b957]
- regin = enabled
- [_raw=50f12169cbaa73ed665f665e1891f59d]
- regin = enabled
- [_raw=7ee9d65c02483fd8e12a915dd20430a9]
- regin = enabled
- [_raw=1e767f079ae0982da11f2b7964745289]
- regin = enabled
- [_raw=52897d02af0f7658e64e0db6af537dc2]
- regin = enabled
- [_raw=83791bb6ee1de2927c90556e46e7cfe1]
- regin = enabled
- [_raw=b7cbb79edd04c32dc46e23407d0c4139]
- regin = enabled
- [_raw=b0a35d8ed2d852230265bff39e57d9e5]
- regin = enabled
- [_raw=5ecff6d766ec3fcce9208c3e37f36306]
- regin = enabled
- [_raw=2c8b9d2885543d7ade3cae98225e263b]
- regin = enabled
- [_raw=4b6b86c7fec1c574706cecedf44abded]
- regin = enabled
- [_raw=187044596bc1328efa0ed636d8aa4a5c]
- regin = enabled
- [_raw=d240f06e98c8d3e647cbf4d442d79475]
- regin = enabled
- [_raw=6662c390b2bbbd291ec7987388fc75d7]
- regin = enabled
- [_raw=1c024e599ac055312a4ab75b3950040a]
- regin = enabled
- [_raw=ba7bb65634ce1e30c1e5415be3d1db1d]
- regin = enabled
- [_raw=b505d65721bb2453d5039a389113b566]
- regin = enabled
- [_raw=b269894f434657db2b15949641a67532]
- regin = enabled
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement