Skip to content

Some BlueHammer detections#4037

Open
RavenTait wants to merge 3 commits into
developfrom
bluehammer_redsun
Open

Some BlueHammer detections#4037
RavenTait wants to merge 3 commits into
developfrom
bluehammer_redsun

Conversation

@RavenTait
Copy link
Copy Markdown
Contributor

@RavenTait RavenTait commented Apr 29, 2026

Contains detections and stories around BlueHammer and RedSun as well as a new data source for Windows 4723

Detections:

  • Windows Admin Password Changed by Non-Admin
  • Windows MsMpEng Writing to System32
  • Windows Non-System Process Querying Definition Update
  • Windows Suspicious Burst of Password Changes
  • Windows Suspicious Defender Engine or Signature Files Created
  • Windows Suspicious Defender Update Activity in INetCache

Stories:

  • BlueHammer
  • RedSun

patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_admin_password_changed_by_non_admin.yml Outdated
patel-bhavin
patel-bhavin reviewed May 12, 2026
View reviewed changes
Comment thread detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml Outdated
@patel-bhavin patel-bhavin added this to the v6.1.0 milestone May 14, 2026
patel-bhavin
patel-bhavin reviewed May 14, 2026
View reviewed changes
Comment thread detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml
description: Detects a non-system process causing creation of CldFlt0.etl under C:\Windows\System32\LogFiles\CloudFiles\. This path is initialised by the CldFlt driver when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot(). In the RedSun exploit this is a side-effect of the DoCloudStuff() function that registers a fake sync provider to create the cloud-tagged bait file. Legitimate cloud providers (OneDrive etc.) register sync roots from SYSTEM-level service processes, not from user-context executables.
data_source:
- Sysmon EventID 11
search: '`sysmon` EventCode=11 (TargetFilename = "*\\Windows\\System32\\LogFiles\\CloudFiles\\*" NOT Image IN ("*\\Windows\\System32*", "*\\Windows\\SysWOW64*","*\\Program Files\\WindowsApps*")) | stats count min(_time) as firstTime max(_time) as lastTime by action dest file_name file_path Image process_guid process_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cloud_files_filter_log_created_by_non_system_process_filter`'
Copy link
Copy Markdown
Contributor

@patel-bhavin patel-bhavin May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also perhaps improve the formatting for all these sysmon searches in the PR such that it reads well - it does help with making the review a bit simpler

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin patel-bhavin left review comments

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@nasbench nasbench Awaiting requested review from nasbench nasbench is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Datasource Detections Lookups Stories

Projects

None yet

Milestone

v6.1.0

Development

Successfully merging this pull request may close these issues.

2 participants

@RavenTait @patel-bhavin