SplashTop Network

 1title: SplashTop Network
 2id: 53d94914-971a-4326-a3d6-b11e0d409914
 3status: experimental
 4description: Detects use of SplashTop
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-
 8  - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 9date: 2022/05/06
10modified: 2022/05/06
11logsource:
12  category: dns_query
13  product: windows
14detection:
15  selection:
16    QueryName|contains:
17      - '.splashtop.com'
18      - '.splashtop.eu'
19    Image|endswith:
20      - '\spupnp.exe'
21      - '\Dataproxy.exe'
22      - '\SRServer.exe'
23      - '\SRFeature.exe'
24      - '\SSUService.exe'
25      - '\strwinclt.exe'
26  condition: selection
27falsepositives:
28  - Legitimate SplashTop installation
29level: high
30tags:
31  - attack.lateral_movement
32  - attack.t1133
33  - attack.command_and_control
34  - attack.t1219

References

• https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

  
  Read More

• Stolen Images Campaign Ends in Conti Ransomware

  

  In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…

  
  Read More

Related rules

• AnyDesk Network
• SplashTop Process
• Executable Deployment from Remote Share
• Suspicious Registry Modification of MaxMpxCt Parameters
• BITSAdmin Downloading Malicious Binaries