Branch was auto-updated.

detections/endpoint/linux_decode_base64_to_shell.yml

@@ -1,20 +1,20 @@
 name: Linux Decode Base64 to Shell
 id: 637b603e-1799-40fd-bf87-47ecbd551b66
-version: 2
-date: '2024-05-22'
+version: 3
+date: '2024-06-25'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description: |-
-  The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like "base64 -d" and "base64 --decode" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system.
+description: The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because  it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions.
 data_source:
 - Sysmon for Linux EventID 1
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64
-  -d*","*base64 --decode*") AND Processes.process="*|*" `linux_shells` by Processes.dest
-  Processes.user Processes.parent_process_name Processes.process_name Processes.process
-  Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`'
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where  Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
+  | `drop_dm_object_name(Processes)`
+  | rex field=process "base64\s+(?<decode_flag>-{1,2}d\w*)"
+  | where isnotnull(decode_flag)
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `linux_decode_base64_to_shell_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -80,8 +80,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux
     update_timestamp: true

detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml

@@ -1,7 +1,7 @@
 name: Linux Obfuscated Files or Information Base64 Decode
 id: 303b38b2-c03f-44e2-8f41-4594606fcfc7
-version: 2
-date: '2024-05-15'
+version: 3
+date: '2024-06-25'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -15,9 +15,7 @@ description: The following analytic detects the use of the base64 decode command
 data_source:
 - Sysmon for Linux EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64
-  -d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name
-  Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
+  as lastTime from datamodel=Endpoint.Processes where Processes.process_path="*/base64" Processes.process="*-d*" by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_integrity_level Processes.parent_process_name Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `linux_obfuscated_files_or_information_base64_decode_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
@@ -84,8 +82,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux
     update_timestamp: true

detections/endpoint/malicious_powershell_process___encoded_command.yml

@@ -1,8 +1,8 @@
 name: Malicious PowerShell Process - Encoded Command
 id: c4db14d9-7909-48b4-a054-aa14d89dbb19
-version: 8
-date: '2024-05-19'
-author: David Dorsey, Michael Haag, Splunk
+version: 9
+date: '2024-07-26'
+author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
 status: production
 type: Hunting
 description: 'The following analytic detects the use of the EncodedCommand parameter
@@ -22,8 +22,8 @@ search: "| tstats `security_content_summariesonly` count min(_time) as firstTime
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user
   Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
   Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\\
-  s+[^-]\") | `malicious_powershell_process___encoded_command_filter`"
+  | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\")
+  | `malicious_powershell_process___encoded_command_filter`"
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -84,4 +84,4 @@ tests:
   - data: 
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
+    sourcetype: xmlwineventlog

detections/endpoint/possible_lateral_movement_powershell_spawn.yml

@@ -1,8 +1,8 @@
 name: Possible Lateral Movement PowerShell Spawn
 id: cb909b3e-512b-11ec-aa31-3e22fbd008af
-version: 3
-date: '2024-05-20'
-author: Mauricio Velazco, Splunk
+version: 5
+date: '2024-06-18'
+author: Mauricio Velazco, Michael Haag, Splunk
 status: production
 type: TTP
 description: 'The following analytic detects the spawning of a PowerShell process
@@ -22,11 +22,10 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe
   OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe)
   (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*)
-  OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*))
-  NOT (Processes.process IN ("*c:\windows\ccm\*")) by Processes.dest Processes.user
-  Processes.parent_process_name Processes.process_name Processes.process Processes.process_id
-  Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`'
+  OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*"))
+  by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
+  Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -92,7 +91,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/windows_protocol_tunneling_with_plink.yml

@@ -1,26 +1,26 @@
 name: Windows Protocol Tunneling with Plink
 id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed
-version: 2
-date: '2024-05-24'
+version: 3
+date: '2024-07-26'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description: The following analytic detects the use of Plink for protocol tunneling,
-  either for egress or lateral movement within an organization. It identifies specific
-  Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs
-  from Endpoint Detection and Response (EDR) agents. This activity is significant
+description: This analytic detects the use of Plink (including renamed versions like pvhost.exe) for protocol tunneling,
+  which may be used for egress or lateral movement within an organization. It identifies specific
+  command-line options (-R, -L, -D, -l, -N, -P, -pw) commonly used for port forwarding and tunneling
+  by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant
   as it may indicate an attempt to bypass network security controls or establish unauthorized
   connections. If confirmed malicious, this could allow an attacker to exfiltrate
   data, move laterally across the network, or maintain persistent access, posing a
-  severe threat to the organization's security.
+  severe threat to the organization's security. The detection covers both the original Plink executable
+  and potential renamed versions, enhancing its ability to catch evasion attempts.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe
-  OR Processes.original_file_name=Plink Processes.process IN ("*-R *", "*-L *", "*-D
-  *", "*-l *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
+  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=plink.exe OR Processes.process_name=pvhost.exe OR Processes.original_file_name=Plink) AND
+  Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *", "*-N *", "*-P *", "*-pw *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
   Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
   `windows_protocol_tunneling_with_plink_filter`'
@@ -40,6 +40,8 @@ references:
 - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
 - https://attack.mitre.org/techniques/T1572/
 - https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5
+- https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/0/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF
+- https://blog.talosintelligence.com/lazarus-three-rats/
 tags:
   analytic_story:
   - CISA AA22-257A
@@ -94,4 +96,4 @@ tests:
       https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog
-    update_timestamp: true
+    update_timestamp: true

detections/network/detect_remote_access_software_usage_dns.yml

@@ -1,17 +1,11 @@
 name: Detect Remote Access Software Usage DNS
 id: a16b797d-e309-41bd-8ba0-5067dae2e4be
-version: 2
+version: 3
 date: '2024-05-27'
 author: Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects DNS queries to known remote access software
-  domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution
-  data model and cross-references them with a lookup table of remote access software
-  domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant
-  as adversaries often use remote access tools to maintain persistent access to compromised
-  systems. If confirmed malicious, this could allow attackers to control systems remotely,
-  exfiltrate data, or further infiltrate the network, posing a severe security risk.
+description: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.
 data_source:
 - Sysmon EventID 22
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
@@ -20,14 +14,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain
   AS query OUTPUT isutility, description as signature, comment_reference as desc,
   category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`'
-how_to_implement: To implement this search, you must ingest logs that contain the
-  DNS query and the source of the query. These logs must be processed using the appropriate
-  Splunk Technology Add-ons that are specific to the DNS logs. The logs must also
-  be mapped to the `Network_Resolution` data model. Use the Splunk Common Information
-  Model (CIM) to normalize the field names and speed up the data modeling process.
-known_false_positives: It is possible that legitimate remote access software is used
-  within the environment. Ensure that the lookup is reviewed and updated with any
-  additional remote access software that is used within the environment.
+how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. Once the analytic is tuned for your environment, modify the risk scores to be more appropriate.
+known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and legitimate remote access software is removed from it to not cause false positives.
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -38,8 +26,8 @@ tags:
   - Command And Control
   - Ransomware
   asset_type: Endpoint
-  confidence: 50
-  impact: 50
+  confidence: 20
+  impact: 20
   message: A domain for a known remote access software $query$ was contacted by $src$.
   mitre_attack_id:
   - T1219
@@ -61,7 +49,7 @@ tags:
   - DNS.src
   - DNS.query
   - DNS.answer
-  risk_score: 25
+  risk_score: 4
   security_domain: endpoint
 tests:
 - name: True Positive Test