Detection rules › Splunk
Potential Proxy Malware via AutoRun Key (Sysmon)
The Windows Registry Run keys can be abused to establish persistence for malware known as SystemBC (aka Coroxy or DroxiDat), which functions as a proxy, bot, backdoor, and RAT. Threat actors utilize this method to maintain continuous access to a compromised system, enabling them to gather information, execute commands, and deploy additional malware. SystemBC has been observed modifying AutoRun keys with a value of socks5. This use case detects modifications to registry keys containing the path \SOFTWARE\Microsoft\Windows\CurrentVersion\Run including the value "socks5".
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Persistence | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '24645.45566'
title: Potential Proxy Malware via AutoRun Key
description: The Windows Registry Run keys can be abused to establish persistence
for malware known as SystemBC (aka Coroxy or DroxiDat), which functions as a proxy,
bot, backdoor, and RAT. Threat actors utilize this method to maintain continuous
access to a compromised system, enabling them to gather information, execute commands,
and deploy additional malware. SystemBC has been observed modifying AutoRun keys
with a value of socks5. This use case detects modifications to registry keys containing
the path \SOFTWARE\Microsoft\Windows\CurrentVersion\Run including the value "socks5".
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "socks5" | table _time, host,
user signature_id, process, process_*, user, parent_process_path | bin span=1s |
stats values(*) as * by _time, host '
techniques:
- persistence:boot or logon autostart execution:registry run keys / startup folder
- execution:command and scripting interpreter:powershell
technique_id:
- T1059.001
- T1547.001
data_category:
- Windows Sysmon
references:
- https://rexorvc0.com/2023/11/12/Swiss-Knife-SystemBC-Coroxy/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "socks5"
Stage 2: table
| table _time, host, user signature_id, process, process_*, user, parent_process_path
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" |
| 1 | "socks5" |