From f704724864bea51b785d6807e5617d649c12c8b1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 11:51:41 +0100 Subject: [PATCH 01/13] sesameop --- ..._or_script_creation_in_suspicious_path.yml | 5 +- ...tables_or_script_creation_in_temp_path.yml | 5 +- .../registry_keys_used_for_persistence.yml | 8 +- ...eduled_task_deleted_or_created_via_cmd.yml | 7 +- .../windows_ai_platform_dns_query.yml | 30 ++++--- ...omainmanager_hijack_artifacts_creation.yml | 78 +++++++++++++++++++ .../windows_process_execution_in_temp_dir.yml | 5 +- .../windows_suspicious_process_file_path.yml | 5 +- ...eduled_task_created_within_public_path.yml | 7 +- ...ws_task_scheduler_event_action_started.yml | 6 +- ...ess_dns_query_known_abuse_web_services.yml | 6 +- stories/sesameop.yml | 20 +++++ 12 files changed, 152 insertions(+), 30 deletions(-) create mode 100644 detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml create mode 100644 stories/sesameop.yml diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 9be985bdd5..2e20858fe1 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 20 -date: '2025-10-31' +version: 21 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -118,6 +118,7 @@ tags: - GhostRedirector IIS Module and Rungan Backdoor - Lokibot - Castle RAT + - SesameOp asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index ae71384e8a..02c5e4f696 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 16 -date: '2025-09-30' +version: 17 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -109,6 +109,7 @@ tags: - APT37 Rustonotto and FadeStealer - PromptLock - Lokibot + - SesameOp asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 37148fc31f..2c1d04a6e9 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 27 -date: '2025-11-20' +version: 28 +date: '2025-12-10' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -118,6 +118,10 @@ tags: - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer - NetSupport RMM Tool Abuse + - DarkCrystal RAT + - Lokibot + - ValleyRAT + - Castle RAT asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 2d34e4cdea..b1f9307a3b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 22 -date: '2025-11-20' +version: 23 +date: '2025-12-10' author: Bhavin Patel, Splunk status: production type: TTP @@ -108,6 +108,9 @@ tags: - APT37 Rustonotto and FadeStealer - Lokibot - NetSupport RMM Tool Abuse + - ValleyRAT + - PlugX + - Remcos asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml index a0cac29c9c..452012f8bd 100644 --- a/detections/endpoint/windows_ai_platform_dns_query.yml +++ b/detections/endpoint/windows_ai_platform_dns_query.yml @@ -1,27 +1,32 @@ name: Windows AI Platform DNS Query id: 1ad89d24-c856-4a0e-8fdf-c20c7b9febe1 -version: 1 -date: '2025-08-25' +version: 2 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is important because it can reveal when systems are reaching out to external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting these queries helps organizations enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring ensures better control over AI model usage and organizational data flows. +description: | + The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is important because it can reveal when systems are reaching out to external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting these queries helps organizations enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring ensures better control over AI model usage and organizational data flows. data_source: -- Sysmon EventID 22 -search: '`sysmon` EventCode=22 process_name IN ("python.exe", "cmd.exe", "rundll32.exe","powershell.exe", "pwsh.exe") QueryName= "router.huggingface.co" + - Sysmon EventID 22 +search: | + `sysmon` EventCode=22 (process_name IN ("python.exe", "cmd.exe", "rundll32.exe","powershell.exe", "pwsh.exe") OR + Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*")) AND + QueryName IN ("router.huggingface.co", "api.openai.com") | rename dvc as dest | stats count min(_time) as firstTime max(_time) as lastTime - by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id + by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_ai_platform_dns_query_filter`' + | `windows_ai_platform_dns_query_filter` how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives: researcher, engineering and administrator may create a automation that queries huggingface ai platform hub for accomplishing task. references: - https://cert.gov.ua/article/6284730 +- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -47,14 +52,15 @@ rba: type: process_name tags: analytic_story: - - LAMEHUG + - LAMEHUG + - SesameOp asset_type: Endpoint mitre_attack_id: - - T1071.004 + - T1071.004 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml new file mode 100644 index 0000000000..de0327811b --- /dev/null +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -0,0 +1,78 @@ +name: Windows Potential AppDomainManager Hijack Artifacts Creation +id: be19b369-fd0c-42be-ae97-c10b6c01638f +version: 1 +date: '2025-12-10' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the creation of an .exe file along with its corresponding .exe.config and a .dll in the same directory, which is a common pattern indicative of potential AppDomain hijacking or CLR code injection attempts. This behavior may signal that a malicious actor is attempting to load a rogue assembly into a legitimate application's AppDomain, allowing code execution under the context of a trusted process. +data_source: +- Sysmon EventID 11 +search: | + | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Filesystem + where Filesystem.file_name IN ("*.exe", "*.exe.config", "*.dll") AND Filesystem.file_path IN + ("*\\windows\\fonts\\*", "*\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*","*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*", "*\\programdata\\*") + AND Filesystem.action = "created" + by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product + | `drop_dm_object_name("Filesystem")` + | stats values(file_name) AS files_found + values(user) AS users + min(firstTime) AS firstTime max(lastTime) AS lastTime + BY dest process_guid + | eval exe_files = mvfilter(match(files_found, "\.exe$") AND NOT match(files_found, "\.exe\.config$")) + | eval config_files = mvfilter(match(files_found, "\.exe\.config$")) + | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", "")) + | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", "")) + | eval matching_base_names = mvmap(exe_base_names, if(mvfind(config_base_names, VALUE) != -1, VALUE, null())) + | eval file_count = mvcount(files_found) + | eval match_count = mvcount(matching_base_names) + | where file_count = 3 AND match_count > 0 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_potential_appdomainmanager_hijack_artifacts_creation_filter` +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the file name, file path, and process_guid executions from your endpoints. + If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. +known_false_positives: Administrator or network operator can create file in ~/.ssh + folders for automation purposes. Please update the filter macros to remove false + positives. +references: +- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A file $files_found$ is created in $file_path$ on $dest$ + risk_objects: + - field: dest + type: system + score: 30 + threat_objects: [] +tags: + analytic_story: + - SesameOp + asset_type: Endpoint + mitre_attack_id: + - T1574.014 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.014/appdomain_hijack_artifacts/appdomain_hijack.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index cb7edd4f3d..01d565781c 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 6 -date: '2025-09-30' +version: 7 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -82,6 +82,7 @@ tags: - PathWiper - PromptLock - Lokibot + - SesameOp asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 5896e7591d..4d35488e2f 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 17 -date: '2025-10-31' +version: 18 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -126,6 +126,7 @@ tags: - GhostRedirector IIS Module and Rungan Backdoor - Lokibot - Castle RAT + - SesameOp asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 9f352739b3..f51e57a96d 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 20 -date: '2025-10-31' +version: 21 +date: '2025-12-10' author: Michael Haag, Splunk status: production type: TTP @@ -87,6 +87,9 @@ tags: - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer - Castle RAT + - ValleyRAT + - PlugX + - Remcos asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 60526673ff..4ea5b06026 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 10 -date: '2025-05-26' +version: 11 +date: '2025-12-10' author: Michael Haag, Splunk status: production type: Hunting @@ -48,6 +48,8 @@ tags: - Qakbot - Sandworm Tools - Industroyer2 + - PlugX + - Remcos asset_type: Endpoint mitre_attack_id: - T1053.005 diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 181119e92c..ecf3121ba0 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,7 +1,7 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 13 -date: '2025-05-26' +version: 14 +date: '2025-12-10' author: Teoderick Contreras, Splunk status: production type: TTP @@ -64,6 +64,8 @@ tags: - PXA Stealer - WhisperGate - Cactus Ransomware + - Braodo Stealer + - RedLine Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/stories/sesameop.yml b/stories/sesameop.yml new file mode 100644 index 0000000000..32f1ca6049 --- /dev/null +++ b/stories/sesameop.yml @@ -0,0 +1,20 @@ +name: SesameOp +id: 26b6c7c5-351b-489f-8053-da6cbaa74479 +version: 1 +date: '2025-12-10' +author: Teoderick Contreras, Splunk +status: production +description: SesameOp is a newly discovered backdoor that abuses the OpenAI Assistants API as its command-and-control (C2) channel. Instead of using a traditional malicious server infrastructure, the malware loads a heavily obfuscated .NET DLL (Netapi64.dll / OpenAIAgent.Netapi64) which reaches out to the Assistants API to fetch encrypted, compressed commands and then executes them on the infected host. Results from these commands are likewise compressed, encrypted and sent back via the same legitimate API channel — effectively hiding malicious traffic in seemingly normal API calls. To evade detection, it injects into the host using .NET AppDomainManager injection, maintains persistence over time, and obfuscates communications via symmetric and asymmetric encryption plus compression. +narrative: SesameOp is a stealthy backdoor discovered in July 2025 that abuses the OpenAI Assistants API as a covert command-and-control channel. It comprises two components, a heavily obfuscated loader (Netapi64.dll) and a .NET-based backdoor (OpenAIAgent.Netapi64). The loader uses .NET AppDomainManager injection to persist within otherwise legitimate host processes such as developer tools. Once active, the backdoor fetches encrypted, compressed commands hidden in AI-assistant metadata from the OpenAI API, executes them locally, and returns results using the same legitimate HTTPS traffic. Because the traffic resembles normal AI API usage, it easily evades standard network detection methods. +references: +- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 10440c8ee0fdfbaf228547be43b8c9b994c98ad7 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 11:56:50 +0100 Subject: [PATCH 02/13] sesameop --- detections/endpoint/registry_keys_used_for_persistence.yml | 2 +- .../endpoint/scheduled_task_deleted_or_created_via_cmd.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 2c1d04a6e9..8ee6b7f681 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,6 +1,6 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 28 +version: 27 date: '2025-12-10' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index b1f9307a3b..b53d2112ae 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,6 +1,6 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 23 +version: 22 date: '2025-12-10' author: Bhavin Patel, Splunk status: production From 7b01655f04c5185acaed9edc325b0a7d99923d37 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 14:33:33 +0100 Subject: [PATCH 03/13] sesameop --- ...omainmanager_hijack_artifacts_creation.yml | 29 ++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index de0327811b..d68e2e90a9 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -11,7 +11,7 @@ data_source: search: | | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.exe.config", "*.dll") AND Filesystem.file_path IN - ("*\\windows\\fonts\\*", "*\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*","*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*", "*\\programdata\\*") + ("*\\windows\\fonts\\*", "*\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*","*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*") AND Filesystem.action = "created" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name("Filesystem")` @@ -19,25 +19,32 @@ search: | values(user) AS users min(firstTime) AS firstTime max(lastTime) AS lastTime BY dest process_guid + | eval exe_present = if(mvcount(mvfilter(match(files_found, "\.exe$"))) > 0, 1, 0) + | eval config_present = if(mvcount(mvfilter(match(files_found, "\.exe\.config$"))) > 0, 1, 0) + | eval dll_present = if(mvcount(mvfilter(match(files_found, "\.dll$"))) > 0, 1, 0) + | eval exe_files = mvfilter(match(files_found, "\.exe$") AND NOT match(files_found, "\.exe\.config$")) | eval config_files = mvfilter(match(files_found, "\.exe\.config$")) | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", "")) | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", "")) | eval matching_base_names = mvmap(exe_base_names, if(mvfind(config_base_names, VALUE) != -1, VALUE, null())) + | eval file_count = mvcount(files_found) | eval match_count = mvcount(matching_base_names) - | where file_count = 3 AND match_count > 0 + + | where file_count >= 3 AND match_count > 0 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + | `security_content_ctime(lastTime)` | `windows_potential_appdomainmanager_hijack_artifacts_creation_filter` -how_to_implement: To successfully implement this search, you need to be ingesting - logs with the file name, file path, and process_guid executions from your endpoints. - If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. -known_false_positives: Administrator or network operator can create file in ~/.ssh - folders for automation purposes. Please update the filter macros to remove false - positives. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: Administrator or network operator can create appdomain config file relative to the .NET application as part of installation. Filtering is needed. references: - https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ +- https://attack.mitre.org/techniques/T1574/014/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' @@ -58,7 +65,9 @@ rba: - field: dest type: system score: 30 - threat_objects: [] + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - SesameOp From 3002e2e142ff670f2d5b28dacb521b0321dce57c Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 15:00:47 +0100 Subject: [PATCH 04/13] sesameop --- .../windows_ai_platform_dns_query.yml | 19 +++++++++---------- macros/is_not_browser_app_macro.yml | 3 +++ 2 files changed, 12 insertions(+), 10 deletions(-) create mode 100644 macros/is_not_browser_app_macro.yml diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml index 452012f8bd..85d1b8dfae 100644 --- a/detections/endpoint/windows_ai_platform_dns_query.yml +++ b/detections/endpoint/windows_ai_platform_dns_query.yml @@ -6,19 +6,18 @@ author: Teoderick Contreras, Splunk status: production type: Anomaly description: | - The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is important because it can reveal when systems are reaching out to external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting these queries helps organizations enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring ensures better control over AI model usage and organizational data flows. + The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows. data_source: - Sysmon EventID 22 search: | - `sysmon` EventCode=22 (process_name IN ("python.exe", "cmd.exe", "rundll32.exe","powershell.exe", "pwsh.exe") OR - Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*")) AND - QueryName IN ("router.huggingface.co", "api.openai.com") - | rename dvc as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image - vendor_product QueryName QueryResults QueryStatus - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + `sysmon` EventCode=22 QueryName IN ("router.huggingface.co", "api.openai.com") + | `is_not_browser_app_macro` + | rename dvc as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image + vendor_product QueryName QueryResults QueryStatus + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `windows_ai_platform_dns_query_filter` how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. diff --git a/macros/is_not_browser_app_macro.yml b/macros/is_not_browser_app_macro.yml new file mode 100644 index 0000000000..4972171d44 --- /dev/null +++ b/macros/is_not_browser_app_macro.yml @@ -0,0 +1,3 @@ +definition: lookup update=true browser_app_list browser_process_name AS process_name OUTPUT isAllowed | search isAllowed!=true +description: This macro is designed to identify non-browser applications process name. Remove or filter as needed based. +name: is_not_browser_app_macro \ No newline at end of file From 254e7a520086249a17cce8dfe64d2896c68eeb9b Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 15:02:43 +0100 Subject: [PATCH 05/13] sesameop --- stories/sesameop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/sesameop.yml b/stories/sesameop.yml index 32f1ca6049..5a6735faa6 100644 --- a/stories/sesameop.yml +++ b/stories/sesameop.yml @@ -4,7 +4,7 @@ version: 1 date: '2025-12-10' author: Teoderick Contreras, Splunk status: production -description: SesameOp is a newly discovered backdoor that abuses the OpenAI Assistants API as its command-and-control (C2) channel. Instead of using a traditional malicious server infrastructure, the malware loads a heavily obfuscated .NET DLL (Netapi64.dll / OpenAIAgent.Netapi64) which reaches out to the Assistants API to fetch encrypted, compressed commands and then executes them on the infected host. Results from these commands are likewise compressed, encrypted and sent back via the same legitimate API channel — effectively hiding malicious traffic in seemingly normal API calls. To evade detection, it injects into the host using .NET AppDomainManager injection, maintains persistence over time, and obfuscates communications via symmetric and asymmetric encryption plus compression. +description: SesameOp is a Backdoor that abuses the OpenAI Assistants API as its command-and-control (C2) channel. Instead of using a traditional malicious server infrastructure, the malware loads a heavily obfuscated .NET DLL (Netapi64.dll / OpenAIAgent.Netapi64) which reaches out to the Assistants API to fetch encrypted, compressed commands and then executes them on the infected host. Results from these commands are likewise compressed, encrypted and sent back via the same legitimate API channel — effectively hiding malicious traffic in seemingly normal API calls. To evade detection, it injects into the host using .NET AppDomainManager injection, maintains persistence over time, and obfuscates communications via symmetric and asymmetric encryption plus compression. narrative: SesameOp is a stealthy backdoor discovered in July 2025 that abuses the OpenAI Assistants API as a covert command-and-control channel. It comprises two components, a heavily obfuscated loader (Netapi64.dll) and a .NET-based backdoor (OpenAIAgent.Netapi64). The loader uses .NET AppDomainManager injection to persist within otherwise legitimate host processes such as developer tools. Once active, the backdoor fetches encrypted, compressed commands hidden in AI-assistant metadata from the OpenAI API, executes them locally, and returns results using the same legitimate HTTPS traffic. Because the traffic resembles normal AI API usage, it easily evades standard network detection methods. references: - https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ From 080769feb921486792c59306faf09fcc4156f6df Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 17:52:44 +0100 Subject: [PATCH 06/13] sesameop --- ...pdomainmanager_hijack_artifacts_creation.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index d68e2e90a9..087b678349 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -16,23 +16,26 @@ search: | by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name("Filesystem")` | stats values(file_name) AS files_found - values(user) AS users - min(firstTime) AS firstTime max(lastTime) AS lastTime - BY dest process_guid + values(user) AS users + min(firstTime) AS firstTime max(lastTime) AS lastTime + BY dest process_guid | eval exe_present = if(mvcount(mvfilter(match(files_found, "\.exe$"))) > 0, 1, 0) | eval config_present = if(mvcount(mvfilter(match(files_found, "\.exe\.config$"))) > 0, 1, 0) | eval dll_present = if(mvcount(mvfilter(match(files_found, "\.dll$"))) > 0, 1, 0) - + | eval exe_files = mvfilter(match(files_found, "\.exe$") AND NOT match(files_found, "\.exe\.config$")) | eval config_files = mvfilter(match(files_found, "\.exe\.config$")) | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", "")) | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", "")) - | eval matching_base_names = mvmap(exe_base_names, if(mvfind(config_base_names, VALUE) != -1, VALUE, null())) + | eval zipped_names = mvzip(exe_base_names, config_base_names, "==") + + | mvexpand exe_base_names + | mvexpand config_base_names + | eval file_count = mvcount(files_found) - | eval match_count = mvcount(matching_base_names) - | where file_count >= 3 AND match_count > 0 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 + | where file_count >= 3 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 AND exe_base_names = config_base_names | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_potential_appdomainmanager_hijack_artifacts_creation_filter` From e33bae12c4b876d3047a5c53fd97ec7512ffb687 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 10 Dec 2025 17:54:56 +0100 Subject: [PATCH 07/13] sesameop --- ...ows_potential_appdomainmanager_hijack_artifacts_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index 087b678349..3e58272b0a 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -67,7 +67,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: file_name type: file_name From 56bc52da9a592769e9d4347bd33f155627ede15a Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Thu, 11 Dec 2025 10:34:58 +0100 Subject: [PATCH 08/13] Update detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml Co-authored-by: Nasreddine Bencherchali --- ...ws_potential_appdomainmanager_hijack_artifacts_creation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index 3e58272b0a..486820a404 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -48,6 +48,9 @@ known_false_positives: Administrator or network operator can create appdomain co references: - https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ - https://attack.mitre.org/techniques/T1574/014/ +- https://gist.github.com/djhohnstein/afb93a114b848e16facf0b98cd7cb57b +- https://www.scworld.com/brief/appdomain-manager-injection-exploited-for-cobalt-strike-beacon-delivery +- https://jp.security.ntt/insights_resources/tech_blog/appdomainmanager-injection-en/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' From e265b2146a998c17c65cf6df9b47c8bdffcb27b3 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 11 Dec 2025 10:50:57 +0100 Subject: [PATCH 09/13] sesameop --- .../windows_ai_platform_dns_query.yml | 2 +- ...omainmanager_hijack_artifacts_creation.yml | 27 ++++++++++--------- macros/is_not_browser_app_macro.yml | 3 --- 3 files changed, 15 insertions(+), 17 deletions(-) delete mode 100644 macros/is_not_browser_app_macro.yml diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml index 85d1b8dfae..cb0069ac92 100644 --- a/detections/endpoint/windows_ai_platform_dns_query.yml +++ b/detections/endpoint/windows_ai_platform_dns_query.yml @@ -11,7 +11,7 @@ data_source: - Sysmon EventID 22 search: | `sysmon` EventCode=22 QueryName IN ("router.huggingface.co", "api.openai.com") - | `is_not_browser_app_macro` + | lookup update=true browser_app_list browser_process_name AS process_name OUTPUT isAllowed | search isAllowed!=true | rename dvc as dest | stats count min(_time) as firstTime max(_time) as lastTime by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index 486820a404..3eaf2cc96a 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -15,25 +15,24 @@ search: | AND Filesystem.action = "created" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name("Filesystem")` - | stats values(file_name) AS files_found + | stats values(file_name) AS files_names + values(file_path) AS files_paths values(user) AS users min(firstTime) AS firstTime max(lastTime) AS lastTime BY dest process_guid - | eval exe_present = if(mvcount(mvfilter(match(files_found, "\.exe$"))) > 0, 1, 0) - | eval config_present = if(mvcount(mvfilter(match(files_found, "\.exe\.config$"))) > 0, 1, 0) - | eval dll_present = if(mvcount(mvfilter(match(files_found, "\.dll$"))) > 0, 1, 0) + | eval exe_present = if(mvcount(mvfilter(match(files_names, "\.exe$"))) > 0, 1, 0) + | eval config_present = if(mvcount(mvfilter(match(files_names, "\.exe\.config$"))) > 0, 1, 0) + | eval dll_present = if(mvcount(mvfilter(match(files_names, "\.dll$"))) > 0, 1, 0) - | eval exe_files = mvfilter(match(files_found, "\.exe$") AND NOT match(files_found, "\.exe\.config$")) - | eval config_files = mvfilter(match(files_found, "\.exe\.config$")) + | eval exe_files = mvfilter(match(files_names, "\.exe$") AND NOT match(files_names, "\.exe\.config$")) + | eval config_files = mvfilter(match(files_names, "\.exe\.config$")) | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", "")) | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", "")) - - | eval zipped_names = mvzip(exe_base_names, config_base_names, "==") - + | mvexpand exe_base_names | mvexpand config_base_names - | eval file_count = mvcount(files_found) + | eval file_count = mvcount(files_names) | where file_count >= 3 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 AND exe_base_names = config_base_names | `security_content_ctime(firstTime)` @@ -44,7 +43,7 @@ how_to_implement: To successfully implement this search you need to be ingesting your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Administrator or network operator can create appdomain config file relative to the .NET application as part of installation. Filtering is needed. +known_false_positives: This detection may still produce false positives, so additional filtering is recommended. To validate potential alerts, verify that the executable’s original file name matches its current file name, and also review the associated .config file to confirm which DLLs are expected to load during execution. This helps distinguish legitimate activity from suspicious behavior. references: - https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/ - https://attack.mitre.org/techniques/T1574/014/ @@ -66,14 +65,16 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A file $files_found$ is created in $file_path$ on $dest$ + message: A file $files_name$ is created in $file_path$ on $dest$ risk_objects: - field: dest type: system score: 20 threat_objects: - - field: file_name + - field: file_names type: file_name + - field: file_paths + type: file_path tags: analytic_story: - SesameOp diff --git a/macros/is_not_browser_app_macro.yml b/macros/is_not_browser_app_macro.yml deleted file mode 100644 index 4972171d44..0000000000 --- a/macros/is_not_browser_app_macro.yml +++ /dev/null @@ -1,3 +0,0 @@ -definition: lookup update=true browser_app_list browser_process_name AS process_name OUTPUT isAllowed | search isAllowed!=true -description: This macro is designed to identify non-browser applications process name. Remove or filter as needed based. -name: is_not_browser_app_macro \ No newline at end of file From 3f0da71f62e16a8f5ebaad75d4fd50e857f36edc Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 11 Dec 2025 10:53:44 +0100 Subject: [PATCH 10/13] sesameop --- ...ppdomainmanager_hijack_artifacts_creation.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index 3eaf2cc96a..6eadeb9948 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -15,24 +15,24 @@ search: | AND Filesystem.action = "created" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name("Filesystem")` - | stats values(file_name) AS files_names - values(file_path) AS files_paths + | stats values(file_name) AS file_names + values(file_path) AS file_paths values(user) AS users min(firstTime) AS firstTime max(lastTime) AS lastTime BY dest process_guid - | eval exe_present = if(mvcount(mvfilter(match(files_names, "\.exe$"))) > 0, 1, 0) - | eval config_present = if(mvcount(mvfilter(match(files_names, "\.exe\.config$"))) > 0, 1, 0) - | eval dll_present = if(mvcount(mvfilter(match(files_names, "\.dll$"))) > 0, 1, 0) + | eval exe_present = if(mvcount(mvfilter(match(file_names, "\.exe$"))) > 0, 1, 0) + | eval config_present = if(mvcount(mvfilter(match(file_names, "\.exe\.config$"))) > 0, 1, 0) + | eval dll_present = if(mvcount(mvfilter(match(file_names, "\.dll$"))) > 0, 1, 0) - | eval exe_files = mvfilter(match(files_names, "\.exe$") AND NOT match(files_names, "\.exe\.config$")) - | eval config_files = mvfilter(match(files_names, "\.exe\.config$")) + | eval exe_files = mvfilter(match(file_names, "\.exe$") AND NOT match(file_names, "\.exe\.config$")) + | eval config_files = mvfilter(match(file_names, "\.exe\.config$")) | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", "")) | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", "")) | mvexpand exe_base_names | mvexpand config_base_names - | eval file_count = mvcount(files_names) + | eval file_count = mvcount(file_names) | where file_count >= 3 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 AND exe_base_names = config_base_names | `security_content_ctime(firstTime)` From 5003ee542c694958d3ddb407ce38e03c78e137d4 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 11 Dec 2025 10:56:29 +0100 Subject: [PATCH 11/13] sesameop --- ...ows_potential_appdomainmanager_hijack_artifacts_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index 6eadeb9948..faa41a3bf5 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -65,7 +65,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A file $files_name$ is created in $file_path$ on $dest$ + message: A file $file_name$ is created in $file_path$ on $dest$ risk_objects: - field: dest type: system From 3a1c68d2ce803409163949d2c63beeac759b2cba Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 11 Dec 2025 10:59:40 +0100 Subject: [PATCH 12/13] sesameop --- detections/endpoint/registry_keys_used_for_persistence.yml | 2 +- .../endpoint/scheduled_task_deleted_or_created_via_cmd.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 8ee6b7f681..2c1d04a6e9 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,6 +1,6 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 27 +version: 28 date: '2025-12-10' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index b53d2112ae..b1f9307a3b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,6 +1,6 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 22 +version: 23 date: '2025-12-10' author: Bhavin Patel, Splunk status: production From 8459a9a9b462ca5a961ca74cfd7080f819cc52ee Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 17 Dec 2025 13:40:56 +0100 Subject: [PATCH 13/13] sesameop --- ...utables_or_script_creation_in_temp_path.yml | 1 + .../endpoint/windows_ai_platform_dns_query.yml | 5 +++-- ...n_autostart_execution_in_startup_folder.yml | 9 ++++++--- stories/promptflux.yml | 18 ++++++++++++++++++ 4 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 stories/promptflux.yml diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 02c5e4f696..66fb8ab36f 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -110,6 +110,7 @@ tags: - PromptLock - Lokibot - SesameOp + - PromptFlux asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml index cb0069ac92..c018bc247a 100644 --- a/detections/endpoint/windows_ai_platform_dns_query.yml +++ b/detections/endpoint/windows_ai_platform_dns_query.yml @@ -1,7 +1,7 @@ name: Windows AI Platform DNS Query id: 1ad89d24-c856-4a0e-8fdf-c20c7b9febe1 version: 2 -date: '2025-12-10' +date: '2025-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -53,6 +53,7 @@ tags: analytic_story: - LAMEHUG - SesameOp + - PromptFlux asset_type: Endpoint mitre_attack_id: - T1071.004 @@ -66,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lamehug/T1071.004/hugging_face/huggingface.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 99e6497da7..7f7b611666 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,7 +1,7 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 11 -date: '2025-09-18' +version: 12 +date: '2025-12-17' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -54,7 +54,9 @@ rba: - field: dest type: system score: 81 - threat_objects: [] + threat_objects: + - field: file_name + type: file_name tags: analytic_story: - XWorm @@ -66,6 +68,7 @@ tags: - RedLine Stealer - Interlock Ransomware - APT37 Rustonotto and FadeStealer + - PromptFlux asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/stories/promptflux.yml b/stories/promptflux.yml new file mode 100644 index 0000000000..2c8de7c68a --- /dev/null +++ b/stories/promptflux.yml @@ -0,0 +1,18 @@ +name: PromptFlux +id: e5a8476a-5c58-4da6-8b27-6e18690cca37 +version: 1 +date: '2025-12-17' +author: Teoderick Contreras, Splunk +status: production +description: PromptFlux is a POC malware sample that abuses Gemini-like services for command-and-control operations. It achieves persistence by dropping executables or scripts in startup folders and frequently accesses the Gemini API using hard-coded keys or unauthorized requests, often from non-standard processes. The malware also stages payloads, configuration files, or encrypted prompts in temporary directories such as TMP, leaving forensic artifacts. Detection involves monitoring these locations, tracking anomalous API calls, and observing unusual outbound traffic or process injections, enabling early identification and mitigation. +narrative: PromptFlux is currently a POC malware sample that abuses Gemini-like services for malicious command execution. It ensures persistence by dropping files in startup folders and staging payloads in temporary directories. The malware exploits Gemini API access to receive instructions or exfiltrate data, often using hard-coded keys or unauthorized requests. Its activity may include unusual outbound traffic, process injections, and script execution outside normal workflows. Monitoring these locations and API usage can help identify infections early and prevent further compromise. +references: + - https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file