Merge pull request #3030 from nterl0k/nterl0k-rmm_must_die_update_1

Nterl0k - RMM Must Die - Update

detections/endpoint/detect_remote_access_software_usage_file.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 2
-date: '2024-05-13'
+version: 3
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -20,17 +20,23 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim
   by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup
   remote_access_software remote_utility AS file_name OUTPUT isutility, description
-  as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`'
+  as signature, comment_reference as desc, category | search isutility = TRUE 
+  | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_file_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the file path, file name, and the user that created
   the file. These logs must be processed using the appropriate Splunk Technology Add-ons
   that are specific to the EDR product. The logs must also be mapped to the `Filesystem`
   node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM)
-  to normalize the field names and speed up the data modeling process.
+  to normalize the field names and speed up the data modeling process. The "exceptions" 
+  macro leverages both an Assets and Identities lookup, as well as a KVStore collection
+  called "remote_software_exceptions" that lets you track and maintain device-based 
+  exceptions for this set of detections. 
 known_false_positives: Known or approved applications used by the organization or
-  usage of built-in functions.
+  usage of built-in functions. Known false positives can be added to the 
+  remote_access_software_usage_exception.csv lookup to globally suppress these 
+  situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -72,6 +78,7 @@ tags:
   - Filesystem.file_name
   risk_score: 25
   security_domain: endpoint
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

detections/endpoint/detect_remote_access_software_usage_fileinfo.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage FileInfo
 id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
-version: 2
-date: '2024-05-29'
+version: 3
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -20,12 +20,15 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a
   lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name,
   process_name, process | lookup remote_access_software remote_utility_fileinfo AS
   Product OUTPUT isutility, description as signature, comment_reference as desc, category
-  | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`'
+  | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`'
 how_to_implement: This analytic relies on Sysmon to be properly installed and utilized
   in the environment. Ensure that proper logging is setup for Sysmon and data is being
-  ingested into Splunk.
+  ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities 
+  lookup, as well as a KVStore collection named "remote_software_exceptions" 
+  that lets you track and maintain device-based exceptions for this set of detections.
 known_false_positives: Known or approved applications used by the organization or
-  usage of built-in functions.
+  usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv 
+  lookup to globally suppress these situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -67,7 +70,8 @@ tags:
   - process_name
   - process
   risk_score: 25
-  security_domain: endpoint
+  security_domain: endpoint  
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 2
-date: '2024-05-23'
+version: 3
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_name Processes.process | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software
   remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference
-  as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`'
+  as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -32,10 +32,15 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   be processed using the appropriate Splunk Technology Add-ons that are specific to
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
+  names and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
-  additional remote access software that is used within the environment.
+  additional remote access software that is used within the environment. 
+  Known false positives can be added to the remote_access_software_usage_exception.csv 
+  lookup to globally suppress these situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -80,6 +85,7 @@ tags:
   - Processes.parent_process_name
   risk_score: 25
   security_domain: endpoint
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

detections/network/detect_remote_access_software_usage_dns.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage DNS
 id: a16b797d-e309-41bd-8ba0-5067dae2e4be
 version: 3
-date: '2024-05-27'
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -13,9 +13,20 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain
   AS query OUTPUT isutility, description as signature, comment_reference as desc,
-  category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`'
-how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. Once the analytic is tuned for your environment, modify the risk scores to be more appropriate.
-known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and legitimate remote access software is removed from it to not cause false positives.
+  category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_dns_filter`'
+how_to_implement: To implement this search, you must ingest logs that contain the
+  DNS query and the source of the query. These logs must be processed using the appropriate
+  Splunk Technology Add-ons that are specific to the DNS logs. The logs must also
+  be mapped to the `Network_Resolution` data model. Use the Splunk Common Information
+  Model (CIM) to normalize the field names and speed up the data modeling process. The 
+  "exceptions" macro leverages both an Assets and Identities lookup, 
+  as well as a KVStore collection called "remote_software_exceptions" that lets 
+  you track and maintain device-based exceptions for this set of detections.
+known_false_positives: It is possible that legitimate remote access software is used
+  within the environment. Ensure that the lookup is reviewed and updated with any
+  additional remote access software that is used within the environment. 
+  Known false positives can be added to the remote_access_software_usage_exception.csv 
+  lookup to globally suppress these situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -51,6 +62,7 @@ tags:
   - DNS.answer
   risk_score: 4
   security_domain: endpoint
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

detections/network/detect_remote_access_software_usage_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Traffic
 id: 885ea672-07ee-475a-879e-60d28aa5dd42
-version: 2
-date: '2024-05-29'
+version: 3
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -20,14 +20,19 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app |
   `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | lookup remote_access_software remote_appid AS app OUTPUT isutility, description
-  as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`'
+  as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_traffic_filter`'
 how_to_implement: The following analytic was developed with Palo Alto traffic logs.
   Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
+  names and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
   additional remote access software that is used within the environment.
+  Known false positives can be added to the remote_access_software_usage_exception.csv 
+  lookup to globally suppress these situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -63,6 +68,7 @@ tags:
   - user
   risk_score: 25
   security_domain: network
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

detections/web/detect_remote_access_software_usage_url.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage URL
 id: 9296f515-073c-43a5-88ec-eda5a4626654
-version: 2
-date: '2024-05-09'
+version: 3
+date: '2024-07-09'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -20,15 +20,20 @@ search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(We
   Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS
   url_domain OUTPUT isutility, description as signature, comment_reference as desc,
-  category | search isutility = True | `detect_remote_access_software_usage_url_filter`'
+  category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter`'
 how_to_implement: The detection is based on data that originates from network logs.
   These logs must be processed using the appropriate Splunk Technology Add-ons that
   are specific to the network logs. The logs must also be mapped to the `Web` data
   model. Use the Splunk Common Information Model (CIM) to normalize the field names
-  and speed up the data modeling process.
+  and speed up the data modeling process. The "exceptions" macro leverages 
+  both an Assets and Identities lookup, as well as a KVStore collection called 
+  "remote_software_exceptions" that lets you track and maintain device-
+  based exceptions for this set of detections.
 known_false_positives: It is possible that legitimate remote access software is used
   within the environment. Ensure that the lookup is reviewed and updated with any
-  additional remote access software that is used within the environment.
+  additional remote access software that is used within the environment. 
+  Known false positives can be added to the remote_access_software_usage_exception.csv 
+  lookup to globally suppress these situations across all remote access content
 references:
 - https://attack.mitre.org/techniques/T1219/
 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
@@ -70,6 +75,7 @@ tags:
   - Web.url_domain
   risk_score: 25
   security_domain: network
+  manual_test: This detection uses A&I lookups from Enterprise Security.
 tests:
 - name: True Positive Test
   attack_data:

lookups/remote_access_software.yml

@@ -1,8 +1,8 @@
 description: A list of Remote Access Software
-filename: remote_access_software.csv
+filename: remote_access_software20240726.csv
 name: remote_access_software
 default_match: 'false'
 match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)
 min_matches: 1
 max_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: 'false'

lookups/remote_access_software.csv → lookups/remote_access_software20240726.csv

@@ -1,5 +1,10 @@
 description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update
 247ithelp.com (ConnectWise),*.247ithelp.com,Remote Workforce Client.exe,,,TRUE,RMM,Simlar / replaced by ScreenConnect,2/8/2024
+Absolute (Computrace),*search.namequery.com,rpcnet.exe,Absolute Software*,absolute-manage,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
+Absolute (Computrace),*server.absolute.com,ctes.exe,Absolute Persistence*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
+Absolute (Computrace),,ctespersitence.exe,CTES*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
+Absolute (Computrace),,cteshostsvc.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
+Absolute (Computrace),,rpcld.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
 Access Remote PC,,rpcgrab.exe,,,TRUE,RMM,,2/7/2024
 Access Remote PC,,rpcsetup.exe,,,TRUE,RMM,,2/7/2024
 Acronic Cyber Protect (Remotix),cloud.acronis.com,AcronisCyberProtectConnectQuickAssist*.exe,Acronis Cyber Protect Connect Quick Assist,remotix,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024
@@ -566,4 +571,4 @@ Zoho Assist,*.zohoassist.jp,ZMAgent.exe,,,TRUE,RMM,https://www.zoho.com/assist/k
 Zoho Assist,*.zohoassist.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024
 Zoho Assist,downloads.zohodl.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024
 Zoho Assist,downloads.zohocdn.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024
-Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024
+Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024

lookups/remote_access_software_exceptions.yml

@@ -0,0 +1,4 @@
+description: A list used to provide global exceptions to remote access monitoring content.
+collection: remote_access_software_exceptions
+name: remote_access_software_exceptions
+fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment

macros/remote_access_software_usage_exceptions.yml

@@ -0,0 +1,9 @@
+definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest) 
+  | lookup update=true asset_lookup_by_str asset as exception_asset OUTPUTNEW asset as asset_temp_field 
+  | eval asset_temp_field = CASE(isnull(asset_temp_field),exception_asset,true(),asset_temp_field ) 
+  | lookup remote_access_software_exceptions asset as asset_temp_field software as signature OUTPUT exception as rmm_exception, exception_date as rmm_exception_date, exception_ttl_days as rmm_exception_ttl_days, comment as rmm_exception_comment
+  | eval rmm_exception = mvdedup(mvfilter(NOT match(rmm_exception,"false"))), rmm_exception_date = mvdedup(mvfilter(NOT match(rmm_exception_date,"false"))), rmm_exception_ttl_days = mvdedup(mvfilter(NOT match(rmm_exception_ttl_days,"false"))), rmm_exception_comment = mvdedup(mvfilter(NOT match(rmm_exception_comment,"false"))), rmm_exception_end_date = relative_time(strptime(rmm_exception_date, "%Y-%m-%d"), "+"+rmm_exception_ttl_days+"d"), rmm_exception_end = CASE((now() >= rmm_exception_end_date),"TRUE",(now() < rmm_exception_end_date),"FALSE",(match(rmm_exception,"(?i)true") AND isnull(rmm_exception_ttl_days)),"UNLIMITED") 
+  | search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED"))
+  | fields - asset_temp_field,exception_asset'
+description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv
+name: remote_access_software_usage_exceptions