splunk · tccontre · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 20
-date: '2025-10-31'
+version: 21
+date: '2025-12-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -118,6 +118,7 @@ tags:
   - GhostRedirector IIS Module and Rungan Backdoor
   - Lokibot
   - Castle RAT
+  - SesameOp
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 16
-date: '2025-09-30'
+version: 17
+date: '2025-12-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -109,6 +109,8 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - PromptLock
   - Lokibot
+  - SesameOp
+  - PromptFlux
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 27
-date: '2025-11-20'
+version: 28
+date: '2025-12-10'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
 type: TTP
@@ -118,6 +118,10 @@ tags:
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
   - NetSupport RMM Tool Abuse
+  - DarkCrystal RAT
+  - Lokibot
+  - ValleyRAT
+  - Castle RAT
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.001

@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 22
-date: '2025-11-20'
+version: 23
+date: '2025-12-10'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -108,6 +108,9 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - Lokibot
   - NetSupport RMM Tool Abuse
+  - ValleyRAT
+  - PlugX
+  - Remcos
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

@@ -1,27 +1,31 @@
 name: Windows AI Platform DNS Query
 id: 1ad89d24-c856-4a0e-8fdf-c20c7b9febe1
-version: 1
-date: '2025-08-25'
+version: 2
+date: '2025-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is important because it can reveal when systems are reaching out to external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting these queries helps organizations enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring ensures better control over AI model usage and organizational data flows.
+description: | 
+  The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.
 data_source:
-- Sysmon EventID 22
-search: '`sysmon` EventCode=22 process_name IN ("python.exe", "cmd.exe", "rundll32.exe","powershell.exe", "pwsh.exe") QueryName= "router.huggingface.co"
-  | rename dvc as dest
-  | stats count min(_time) as firstTime max(_time) as lastTime 
-  by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id
-  vendor_product QueryName QueryResults QueryStatus 
-  | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)`
-  | `windows_ai_platform_dns_query_filter`'
+  - Sysmon EventID 22
+search: |
+  `sysmon` EventCode=22 QueryName IN ("router.huggingface.co", "api.openai.com")
+    | lookup update=true browser_app_list browser_process_name AS process_name OUTPUT isAllowed | search isAllowed!=true
+    | rename dvc as dest
+    | stats count min(_time) as firstTime max(_time) as lastTime 
+    by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image
+    vendor_product QueryName QueryResults QueryStatus 
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+  | `windows_ai_platform_dns_query_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the process name and eventcode = 22 dnsquery executions from your endpoints.
   If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
 known_false_positives: researcher, engineering and administrator may create a automation that queries huggingface ai platform hub for accomplishing task.
 references:
 - https://cert.gov.ua/article/6284730
+- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/
 drilldown_searches:
 - name: View the detection results for - "$dest$"
   search: '%original_detection_search% | search  dest = "$dest$"'
@@ -47,18 +51,20 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - LAMEHUG
+    - LAMEHUG
+    - SesameOp
+    - PromptFlux
   asset_type: Endpoint
   mitre_attack_id:
-  - T1071.004
+    - T1071.004
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lamehug/T1071.004/hugging_face/huggingface.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog
@@ -1,7 +1,7 @@
 name: Windows Boot or Logon Autostart Execution In Startup Folder
 id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 11
-date: '2025-09-18'
+version: 12
+date: '2025-12-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -54,7 +54,9 @@ rba:
   - field: dest
     type: system
     score: 81
-  threat_objects: []
+  threat_objects:
+    - field: file_name
+      type: file_name
 tags:
   analytic_story:
   - XWorm
@@ -66,6 +68,7 @@ tags:
   - RedLine Stealer
   - Interlock Ransomware
   - APT37 Rustonotto and FadeStealer
+  - PromptFlux
   asset_type: Endpoint
   mitre_attack_id:
   - T1547.001

@@ -0,0 +1,94 @@
+name: Windows Potential AppDomainManager Hijack Artifacts Creation
+id: be19b369-fd0c-42be-ae97-c10b6c01638f
+version: 1
+date: '2025-12-10'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects the creation of an .exe file along with its corresponding .exe.config and a .dll in the same directory, which is a common pattern indicative of potential AppDomain hijacking or CLR code injection attempts. This behavior may signal that a malicious actor is attempting to load a rogue assembly into a legitimate application's AppDomain, allowing code execution under the context of a trusted process.
+data_source:
+- Sysmon EventID 11
+search: |
+  | tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime from datamodel=Endpoint.Filesystem
+  where Filesystem.file_name IN ("*.exe", "*.exe.config", "*.dll") AND Filesystem.file_path IN
+    ("*\\windows\\fonts\\*", "*\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*","*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "*\\Windows\\repair\\*", "*\\PerfLogs\\*")
+  AND Filesystem.action = "created"
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
+  | `drop_dm_object_name("Filesystem")`
+  | stats values(file_name) AS file_names
+          values(file_path) AS file_paths
+          values(user) AS users
+          min(firstTime) AS firstTime max(lastTime) AS lastTime
+          BY dest process_guid
+  | eval exe_present = if(mvcount(mvfilter(match(file_names, "\.exe$"))) > 0, 1, 0)
+  | eval config_present = if(mvcount(mvfilter(match(file_names, "\.exe\.config$"))) > 0, 1, 0)
+  | eval dll_present = if(mvcount(mvfilter(match(file_names, "\.dll$"))) > 0, 1, 0)
+
+  | eval exe_files = mvfilter(match(file_names, "\.exe$") AND NOT match(file_names, "\.exe\.config$"))
+  | eval config_files = mvfilter(match(file_names, "\.exe\.config$"))
+  | eval exe_base_names = mvmap(exe_files, replace(exe_files, "\.exe$", ""))
+  | eval config_base_names = mvmap(config_files, replace(config_files, "\.exe\.config$", ""))
+
+  | mvexpand exe_base_names
+  | mvexpand config_base_names
+
+  | eval file_count = mvcount(file_names)
+
+  | where file_count >= 3 AND exe_present = 1 AND config_present = 1 AND dll_present = 1 AND exe_base_names = config_base_names
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_potential_appdomainmanager_hijack_artifacts_creation_filter`
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on process that include the name of the process responsible for the changes from
+  your endpoints into the `Endpoint` datamodel in the `Filesystem` node. In addition,
+  confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
+  endpoint product.
+known_false_positives: This detection may still produce false positives, so additional filtering is recommended. To validate potential alerts, verify that the executable’s original file name matches its current file name, and also review the associated .config file to confirm which DLLs are expected to load during execution. This helps distinguish legitimate activity from suspicious behavior.
+references:
+- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/
+- https://attack.mitre.org/techniques/T1574/014/ 
+- https://gist.github.com/djhohnstein/afb93a114b848e16facf0b98cd7cb57b
+- https://www.scworld.com/brief/appdomain-manager-injection-exploited-for-cobalt-strike-beacon-delivery
+- https://jp.security.ntt/insights_resources/tech_blog/appdomainmanager-injection-en/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A file $file_name$ is created in $file_path$ on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 20
+  threat_objects: 
+  - field: file_names
+    type: file_name
+  - field: file_paths
+    type: file_path
+tags:
+  analytic_story:
+  - SesameOp
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1574.014
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.014/appdomain_hijack_artifacts/appdomain_hijack.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -1,7 +1,7 @@
 name: Windows Process Execution in Temp Dir
 id: f6fbe929-4187-4ba4-901e-8a34be838443
-version: 6
-date: '2025-09-30'
+version: 7
+date: '2025-12-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -82,6 +82,7 @@ tags:
   - PathWiper
   - PromptLock
   - Lokibot
+  - SesameOp
   asset_type: Endpoint
   mitre_attack_id:
   - T1543

@@ -1,7 +1,7 @@
 name: Windows Suspicious Process File Path
 id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
-version: 17
-date: '2025-10-31'
+version: 18
+date: '2025-12-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -126,6 +126,7 @@ tags:
   - GhostRedirector IIS Module and Rungan Backdoor
   - Lokibot
   - Castle RAT
+  - SesameOp
   asset_type: Endpoint
   mitre_attack_id:
   - T1543

@@ -1,7 +1,7 @@
 name: WinEvent Scheduled Task Created Within Public Path
 id: 5d9c6eee-988c-11eb-8253-acde48001122
-version: 20
-date: '2025-10-31'
+version: 21
+date: '2025-12-10'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -87,6 +87,9 @@ tags:
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
   - Castle RAT
+  - ValleyRAT
+  - PlugX
+  - Remcos
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

@@ -1,7 +1,7 @@
 name: WinEvent Windows Task Scheduler Event Action Started
 id: b3632472-310b-11ec-9aab-acde48001122
-version: 10
-date: '2025-05-26'
+version: 11
+date: '2025-12-10'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -48,6 +48,8 @@ tags:
   - Qakbot
   - Sandworm Tools
   - Industroyer2
+  - PlugX
+  - Remcos
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

@@ -1,7 +1,7 @@
 name: Suspicious Process DNS Query Known Abuse Web Services
 id: 3cf0dc36-484d-11ec-a6bc-acde48001122
-version: 13
-date: '2025-05-26'
+version: 14
+date: '2025-12-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -64,6 +64,8 @@ tags:
   - PXA Stealer
   - WhisperGate
   - Cactus Ransomware
+  - Braodo Stealer
+  - RedLine Stealer
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.005

@@ -0,0 +1,18 @@
+name: PromptFlux
+id: e5a8476a-5c58-4da6-8b27-6e18690cca37
+version: 1
+date: '2025-12-17'
+author: Teoderick Contreras, Splunk
+status: production
+description: PromptFlux is a POC malware sample that abuses Gemini-like services for command-and-control operations. It achieves persistence by dropping executables or scripts in startup folders and frequently accesses the Gemini API using hard-coded keys or unauthorized requests, often from non-standard processes. The malware also stages payloads, configuration files, or encrypted prompts in temporary directories such as TMP, leaving forensic artifacts. Detection involves monitoring these locations, tracking anomalous API calls, and observing unusual outbound traffic or process injections, enabling early identification and mitigation.
+narrative: PromptFlux is currently a POC malware sample that abuses Gemini-like services for malicious command execution. It ensures persistence by dropping files in startup folders and staging payloads in temporary directories. The malware exploits Gemini API access to receive instructions or exfiltrate data, often using hard-coded keys or unauthorized requests. Its activity may include unusual outbound traffic, process injections, and script execution outside normal workflows. Monitoring these locations and API usage can help identify infections early and prevent further compromise.
+references:
+  - https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection