From 410454f6cee05da8ae0de1c9455348cb61a9db12 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 25 Jul 2024 10:52:08 -0600 Subject: [PATCH 1/4] Haag's Guided Adventures --- .../endpoint/linux_decode_base64_to_shell.yml | 23 ++++--- ...ted_files_or_information_base64_decode.yml | 11 ++-- ...ible_lateral_movement_powershell_spawn.yml | 18 +++--- ...etect_remote_access_software_usage_dns.yml | 26 +++----- ...pm_sql_injection_remote_code_execution.yml | 60 +++++++++++++++++++ stories/ivanti_epm_vulnerabilities.yml | 23 +++++++ 6 files changed, 113 insertions(+), 48 deletions(-) create mode 100644 detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml create mode 100644 stories/ivanti_epm_vulnerabilities.yml diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 9673b8a687..6a9f2be9a7 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,20 +1,20 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 2 -date: '2024-05-22' +version: 3 +date: '2024-06-25' author: Michael Haag, Splunk status: production type: TTP -description: |- - The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like "base64 -d" and "base64 --decode" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system. +description: The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions. data_source: - Sysmon for Linux EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 - -d*","*base64 --decode*") AND Processes.process="*|*" `linux_shells` by Processes.dest - Processes.user Processes.parent_process_name Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | rex field=process "base64\s+(?-{1,2}d\w*)" + | where isnotnull(decode_flag) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_decode_base64_to_shell_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -80,8 +80,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index f7104c6502..a5757d1f28 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -1,7 +1,7 @@ name: Linux Obfuscated Files or Information Base64 Decode id: 303b38b2-c03f-44e2-8f41-4594606fcfc7 -version: 2 -date: '2024-05-15' +version: 3 +date: '2024-06-25' author: Michael Haag, Splunk status: production type: Anomaly @@ -15,9 +15,7 @@ description: The following analytic detects the use of the base64 decode command data_source: - Sysmon for Linux EventID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 - -d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name - Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + as lastTime from datamodel=Endpoint.Processes where Processes.process_path="*/base64" Processes.process="*-d*" by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_integrity_level Processes.parent_process_name Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_obfuscated_files_or_information_base64_decode_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection @@ -84,8 +82,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux update_timestamp: true diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 6b3a5242d9..b656cc311b 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,8 +1,8 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 3 -date: '2024-05-20' -author: Mauricio Velazco, Splunk +version: 5 +date: '2024-06-18' +author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP description: 'The following analytic detects the spawning of a PowerShell process @@ -20,11 +20,10 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) - OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) - NOT (Processes.process IN ("*c:\windows\ccm\*")) by Processes.dest Processes.user - Processes.parent_process_name Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' + OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) + by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -90,7 +89,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index ee831d6810..a86b46edf3 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,17 +1,11 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 2 +version: 3 date: '2024-05-27' author: Steven Dick status: production type: Anomaly -description: The following analytic detects DNS queries to known remote access software - domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution - data model and cross-references them with a lookup table of remote access software - domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant - as adversaries often use remote access tools to maintain persistent access to compromised - systems. If confirmed malicious, this could allow attackers to control systems remotely, - exfiltrate data, or further infiltrate the network, posing a severe security risk. +description: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly. data_source: - Sysmon EventID 22 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -20,14 +14,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`' -how_to_implement: To implement this search, you must ingest logs that contain the - DNS query and the source of the query. These logs must be processed using the appropriate - Splunk Technology Add-ons that are specific to the DNS logs. The logs must also - be mapped to the `Network_Resolution` data model. Use the Splunk Common Information - Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: It is possible that legitimate remote access software is used - within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. +how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. Once the analytic is tuned for your environment, modify the risk scores to be more appropriate. +known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and legitimate remote access software is removed from it to not cause false positives. references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ @@ -38,8 +26,8 @@ tags: - Command And Control - Ransomware asset_type: Endpoint - confidence: 50 - impact: 50 + confidence: 20 + impact: 20 message: A domain for a known remote access software $query$ was contacted by $src$. mitre_attack_id: - T1219 @@ -61,7 +49,7 @@ tags: - DNS.src - DNS.query - DNS.answer - risk_score: 25 + risk_score: 4 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml new file mode 100644 index 0000000000..7c7f38461e --- /dev/null +++ b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -0,0 +1,60 @@ +data_source: [] +mitre_attack_ids: T1190 +security_domain: network +name: Ivanti EPM SQL Injection Remote Code Execution +id: e20564ca-c86c-4e30-acdb-a8486673426f +version: 1 +date: '2024-06-18' +author: Michael Haag +type: TTP +status: production +description: This detection identifies potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824. The vulnerability, which has a CVSS score of 9.8, allows for remote code execution through the `RecordGoodApp` function in the `PatchBiz.dll` file. An attacker can exploit this vulnerability by manipulating the `goodApp.md5` value in an HTTP POST request to the `/WSStatusEvents/EventHandler.asmx` endpoint, leading to unauthorized command execution on the server. Monitoring for unusual SQL commands and HTTP requests to this endpoint can help identify exploitation attempts. Note that, the detection is focused on the URI path, HTTP method and status code of 200, indicating potential exploitation. To properly identify if this was successful, TLS inspection and additional network traffic analysis is required as the xp_cmdshell comes in via the request body. +kind: web +search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/WSStatusEvents/EventHandler.asmx") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype + | `drop_dm_object_name("Web")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `ivanti_epm_sql_injection_remote_code_execution_filter`' +how_to_implement: The detection is based on monitoring HTTP POST requests to the `/WSStatusEvents/EventHandler.asmx` endpoint with a status code of 200. The detection is focused on the URI path, HTTP method, and status code, which can indicate potential exploitation of the CVE-2024-29824 vulnerability. To implement this detection, ensure that you have enabled the necessary data sources and are ingesting HTTP traffic data. The detection can be implemented using Splunk Enterprise Security and Splunk Cloud with the provided search query. The search query should be scheduled to run at regular intervals to detect potential exploitation attempts. Additionally, consider implementing TLS inspection or network traffic analysis (IDS/IPS) to identify successful exploitation attempts. +known_false_positives: False positives are not expected, as this detection is based on monitoring HTTP POST requests to a specific endpoint with a status code of 200. However, ensure that legitimate requests to the `/WSStatusEvents/EventHandler.asmx` endpoint are accounted for in the environment to avoid false positives. +references: +- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/ +- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29824 +- https://github.com/projectdiscovery/nuclei-templates/pull/10020/files +tags: + analytic_story: + - Ivanti EPM Vulnerabilities + asset_type: Web Server + confidence: 80 + impact: 100 + message: Potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824 against $dest$. + mitre_attack_id: + - T1190 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Web.http_user_agent + - Web.status + - Web.http_method + - Web.url + - Web.url_length + - Web.src + - Web.dest + - sourcetype + risk_score: 80 + security_domain: network + cve: + - CVE-2024-29824 +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log + sourcetype: suricata + source: suricata diff --git a/stories/ivanti_epm_vulnerabilities.yml b/stories/ivanti_epm_vulnerabilities.yml new file mode 100644 index 0000000000..2c6e509ef0 --- /dev/null +++ b/stories/ivanti_epm_vulnerabilities.yml @@ -0,0 +1,23 @@ +name: Ivanti EPM Vulnerabilities +id: 4dcadae4-df82-42f3-9e77-4d852d20ac78 +version: 1 +date: '2024-06-18' +author: Michael Haag, Splunk +description: | + This analytic story covers various vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints. +narrative: | + Ivanti Endpoint Manager (EPM) is a comprehensive solution for managing and securing enterprise endpoints. However, like any complex software, it is not immune to vulnerabilities. This story aggregates multiple CVEs affecting Ivanti EPM, providing insights into different types of security weaknesses such as SQL injection, remote code execution, and privilege escalation. By understanding and monitoring these vulnerabilities, organizations can better protect their infrastructure from potential attacks and ensure the integrity and security of their managed devices. +references: + - https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29824 + - https://github.com/projectdiscovery/nuclei-templates/pull/10020/files +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: + - CVE-2024-29824 From bfd201bf950bb4d8b56b48d8a752e0f6474632fc Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 26 Jul 2024 09:43:28 -0600 Subject: [PATCH 2/4] Update windows_protocol_tunneling_with_plink.yml --- .../windows_protocol_tunneling_with_plink.yml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index f63bd484c1..d810345bb3 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -1,26 +1,26 @@ name: Windows Protocol Tunneling with Plink id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed -version: 2 -date: '2024-05-24' +version: 3 +date: '2024-07-26' author: Michael Haag, Splunk status: production type: TTP -description: The following analytic detects the use of Plink for protocol tunneling, - either for egress or lateral movement within an organization. It identifies specific - Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs - from Endpoint Detection and Response (EDR) agents. This activity is significant +description: This analytic detects the use of Plink (including renamed versions like pvhost.exe) for protocol tunneling, + which may be used for egress or lateral movement within an organization. It identifies specific + command-line options (-R, -L, -D, -l, -N, -P, -pw) commonly used for port forwarding and tunneling + by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant as it may indicate an attempt to bypass network security controls or establish unauthorized connections. If confirmed malicious, this could allow an attacker to exfiltrate data, move laterally across the network, or maintain persistent access, posing a - severe threat to the organization's security. + severe threat to the organization's security. The detection covers both the original Plink executable + and potential renamed versions, enhancing its ability to catch evasion attempts. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe - OR Processes.original_file_name=Plink Processes.process IN ("*-R *", "*-L *", "*-D - *", "*-l *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name + as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=plink.exe OR Processes.process_name=pvhost.exe OR Processes.original_file_name=Plink) AND + Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *", "*-N *", "*-P *", "*-pw *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_protocol_tunneling_with_plink_filter`' @@ -40,6 +40,8 @@ references: - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html - https://attack.mitre.org/techniques/T1572/ - https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5 +- https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/0/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF +- https://blog.talosintelligence.com/lazarus-three-rats/ tags: analytic_story: - CISA AA22-257A @@ -94,4 +96,4 @@ tests: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: xmlwineventlog - update_timestamp: true + update_timestamp: true \ No newline at end of file From 03083cf27adcd53d05eafbc6216f9250a67dabbb Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:29:06 -0600 Subject: [PATCH 3/4] fix --- .../web/ivanti_epm_sql_injection_remote_code_execution.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index 7c7f38461e..a3702b7048 100644 --- a/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -9,7 +9,6 @@ author: Michael Haag type: TTP status: production description: This detection identifies potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824. The vulnerability, which has a CVSS score of 9.8, allows for remote code execution through the `RecordGoodApp` function in the `PatchBiz.dll` file. An attacker can exploit this vulnerability by manipulating the `goodApp.md5` value in an HTTP POST request to the `/WSStatusEvents/EventHandler.asmx` endpoint, leading to unauthorized command execution on the server. Monitoring for unusual SQL commands and HTTP requests to this endpoint can help identify exploitation attempts. Note that, the detection is focused on the URI path, HTTP method and status code of 200, indicating potential exploitation. To properly identify if this was successful, TLS inspection and additional network traffic analysis is required as the xp_cmdshell comes in via the request body. -kind: web search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/WSStatusEvents/EventHandler.asmx") Web.http_method=POST Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` From 2057e0ab231c0ae1014f29e7efb659abdaa67cb0 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:45:25 -0600 Subject: [PATCH 4/4] Update malicious_powershell_process___encoded_command.yml Fixed for #2982 --- ...alicious_powershell_process___encoded_command.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index e4970cf1e8..2361965649 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,8 +1,8 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 8 -date: '2024-05-19' -author: David Dorsey, Michael Haag, Splunk +version: 9 +date: '2024-07-26' +author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting description: 'The following analytic detects the use of the EncodedCommand parameter @@ -22,8 +22,8 @@ search: "| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\\ - s+[^-]\") | `malicious_powershell_process___encoded_command_filter`" + | `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\") + | `malicious_powershell_process___encoded_command_filter`" how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -84,4 +84,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog + sourcetype: xmlwineventlog \ No newline at end of file