From dbe3816d8299c341e37a37eca044b7f664caa8eb Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:40:01 -0400 Subject: [PATCH 01/15] Update detect_remote_access_software_usage_file.yml --- .../detect_remote_access_software_usage_file.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index bed6c42094..10e76ff991 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,7 +20,8 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim by Filesystem.dest, Filesystem.user, Filesystem.file_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description - as signature, comment_reference as desc, category | search isutility = TRUE | `detect_remote_access_software_usage_file_filter`' + as signature, comment_reference as desc, category | search isutility = TRUE + | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_file_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -28,9 +29,11 @@ how_to_implement: The detection is based on data that originates from Endpoint D the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) - to normalize the field names and speed up the data modeling process. + to normalize the field names and speed up the data modeling process. known_false_positives: Known or approved applications used by the organization or - usage of built-in functions. + usage of built-in functions. Known false positives can be added to the + remote_access_software_usage_exception.csv lookup to globally suppress these + situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From db548b43bcb9d218cd620d824614be1d5c9b89fe Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:41:54 -0400 Subject: [PATCH 02/15] Update detect_remote_access_software_usage_fileinfo.yml --- .../detect_remote_access_software_usage_fileinfo.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 6bda13e076..7f0de37bc0 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -18,12 +18,13 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True | `detect_remote_access_software_usage_fileinfo_filter`' + | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_fileinfo_filter`' how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. known_false_positives: Known or approved applications used by the organization or - usage of built-in functions. + usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From be8560118fde35f1f87d721aca93d3a82138dd1d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:44:59 -0400 Subject: [PATCH 03/15] Update detect_remote_access_software_usage_process.yml --- .../detect_remote_access_software_usage_process.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index af552ade69..ffa5277821 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 2 -date: '2024-05-23' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference - as desc, category | search isutility = True | `detect_remote_access_software_usage_process_filter`' + as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -33,7 +33,9 @@ how_to_implement: The detection is based on data that originates from Endpoint D names and speed up the data modeling process. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From c77af37ef0d0750483632a25b38d1a6c53027a24 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:46:17 -0400 Subject: [PATCH 04/15] Update detect_remote_access_software_usage_dns.yml --- .../detect_remote_access_software_usage_dns.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index ee831d6810..e12efc189d 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 2 -date: '2024-05-27' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -19,7 +19,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, - category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`' + category | eval dest = query | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_dns_filter`' how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also @@ -27,7 +27,9 @@ how_to_implement: To implement this search, you must ingest logs that contain th Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From b0c739f5f733e1dc24020572f70a5712a30635b5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:46:59 -0400 Subject: [PATCH 05/15] Update detect_remote_access_software_usage_traffic.yml --- .../detect_remote_access_software_usage_traffic.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index b7b9c3d063..34eab59c4a 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 2 -date: '2024-05-29' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,7 +20,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description - as signature, comment_reference as desc, category | search isutility = True | `detect_remote_access_software_usage_traffic_filter`' + as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_traffic_filter`' how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field @@ -28,6 +28,8 @@ how_to_implement: The following analytic was developed with Palo Alto traffic lo known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From 653478a09fc51993c7c4304d33dfcdddbdecb20b Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:47:38 -0400 Subject: [PATCH 06/15] Update detect_remote_access_software_usage_url.yml --- .../web/detect_remote_access_software_usage_url.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 42460961f3..aeb5a714f6 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 2 -date: '2024-05-09' +version: 3 +date: '2024-07-09' author: Steven Dick status: production type: Anomaly @@ -20,7 +20,7 @@ search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(We Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, - category | search isutility = True | `detect_remote_access_software_usage_url_filter`' + category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_url_filter`' how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data @@ -28,7 +28,9 @@ how_to_implement: The detection is based on data that originates from network lo and speed up the data modeling process. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any - additional remote access software that is used within the environment. + additional remote access software that is used within the environment. + Known false positives can be added to the remote_access_software_usage_exception.csv + lookup to globally suppress these situations across all remote access content references: - https://attack.mitre.org/techniques/T1219/ - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ From a2d364979a73914c7ab6486e2fc4b47cb2ad4041 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:49:07 -0400 Subject: [PATCH 07/15] Add files via upload --- lookups/remote_access_software_exceptions.csv | 5 +++++ lookups/remote_access_software_exceptions.yml | 8 ++++++++ 2 files changed, 13 insertions(+) create mode 100644 lookups/remote_access_software_exceptions.csv create mode 100644 lookups/remote_access_software_exceptions.yml diff --git a/lookups/remote_access_software_exceptions.csv b/lookups/remote_access_software_exceptions.csv new file mode 100644 index 0000000000..561df22d92 --- /dev/null +++ b/lookups/remote_access_software_exceptions.csv @@ -0,0 +1,5 @@ +asset,software,exception_date,exception_ttl_days,exception,comment +example_asset,Example_RMM_with_expiration,2024-01-01,30,TRUE,Example to show usage for a temporary exception for a single asset +example_asset_2,Example_RMM_without_expiration,2024-01-01,,TRUE,Example to show usage for a permanent exception for a single asset +example_asset_*,Example_RMM_wildcard_1,2024-01-01,,TRUE,Example to show usage for a permanent exception for a wildcard asset match +*,Example_RMM_wildcard_2,2024-01-01,,TRUE,Example to show usage for a permanent exception for all detections/assets \ No newline at end of file diff --git a/lookups/remote_access_software_exceptions.yml b/lookups/remote_access_software_exceptions.yml new file mode 100644 index 0000000000..193fc224c1 --- /dev/null +++ b/lookups/remote_access_software_exceptions.yml @@ -0,0 +1,8 @@ +description: A list used to provide global exceptions to remote access monitoring content. +filename: remote_access_software_exceptions.csv +name: remote_access_software_exceptions +default_match: 'false' +match_type: WILDCARD(asset) +min_matches: 1 +max_matches: 1 +case_sensitive_match: 'false' \ No newline at end of file From 2dd0a497457bcc284380d5338c8e3d49a39e4d4c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 08:49:37 -0400 Subject: [PATCH 08/15] Add files via upload --- macros/remote_access_software_usage_exception_filter.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 macros/remote_access_software_usage_exception_filter.yml diff --git a/macros/remote_access_software_usage_exception_filter.yml b/macros/remote_access_software_usage_exception_filter.yml new file mode 100644 index 0000000000..ea97c2530f --- /dev/null +++ b/macros/remote_access_software_usage_exception_filter.yml @@ -0,0 +1,9 @@ +definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest) +| lookup update=true asset_lookup_by_str asset as exception_asset OUTPUTNEW asset as asset_temp_field +| eval asset_temp_field = CASE(isnull(asset_temp_field),exception_asset,true(),asset_temp_field ) +| lookup remote_access_software_exceptions asset as asset_temp_field software as signature OUTPUT exception as rmm_exception, exception_date as rmm_exception_date, exception_ttl_days as rmm_exception_ttl_days, comment as rmm_exception_comment +| eval rmm_exception = mvdedup(mvfilter(NOT match(rmm_exception,"false"))), rmm_exception_date = mvdedup(mvfilter(NOT match(rmm_exception_date,"false"))), rmm_exception_ttl_days = mvdedup(mvfilter(NOT match(rmm_exception_ttl_days,"false"))), rmm_exception_comment = mvdedup(mvfilter(NOT match(rmm_exception_comment,"false"))), rmm_exception_end_date = relative_time(strptime(rmm_exception_date, "%Y-%m-%d"), "+"+rmm_exception_ttl_days+"d"), rmm_exception_end = CASE((now() >= rmm_exception_end_date),"TRUE",(now() < rmm_exception_end_date),"FALSE",(match(rmm_exception,"(?i)true") AND isnull(rmm_exception_ttl_days)),"UNLIMITED") +| search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED"))' +| fields - asset_temp_field,exception_asset +description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv +name: remote_access_software_usage_exception_filter \ No newline at end of file From 567010cde4a2f4fdb909dc72509be320fa26c5dd Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:28:17 -0400 Subject: [PATCH 09/15] Update remote_access_software.csv Added additional entries for Computrace/Absolute/Lowjack RMM --- lookups/remote_access_software.csv | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lookups/remote_access_software.csv b/lookups/remote_access_software.csv index 2593eebb17..55cfadc270 100644 --- a/lookups/remote_access_software.csv +++ b/lookups/remote_access_software.csv @@ -1,5 +1,10 @@ description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update 247ithelp.com (ConnectWise),*.247ithelp.com,Remote Workforce Client.exe,,,TRUE,RMM,Simlar / replaced by ScreenConnect,2/8/2024 +Absolute (Computrace),*search.namequery.com,rpcnet.exe,Absolute Software*,absolute-manage,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),*server.absolute.com,ctes.exe,Absolute Persistence*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,ctespersitence.exe,CTES*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,cteshostsvc.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 +Absolute (Computrace),,rpcld.exe,,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024 Access Remote PC,,rpcgrab.exe,,,TRUE,RMM,,2/7/2024 Access Remote PC,,rpcsetup.exe,,,TRUE,RMM,,2/7/2024 Acronic Cyber Protect (Remotix),cloud.acronis.com,AcronisCyberProtectConnectQuickAssist*.exe,Acronis Cyber Protect Connect Quick Assist,remotix,TRUE,RMM,https://kb.acronis.com/content/47189,2/26/2024 @@ -566,4 +571,4 @@ Zoho Assist,*.zohoassist.jp,ZMAgent.exe,,,TRUE,RMM,https://www.zoho.com/assist/k Zoho Assist,*.zohoassist.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 Zoho Assist,downloads.zohodl.com.cn,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 Zoho Assist,downloads.zohocdn.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 -Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 \ No newline at end of file +Zoho Assist,gateway.zohoassist.com,,,,TRUE,RMM,https://www.zoho.com/assist/kb/firewall-configuration.html,2/14/2024 From 8b3c53f1a0c88910c8999aa52f2a2727ac89ccb7 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 25 Jul 2024 07:33:12 -0500 Subject: [PATCH 10/15] formatting on macro --- ...remote_access_software_usage_exception_filter.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/macros/remote_access_software_usage_exception_filter.yml b/macros/remote_access_software_usage_exception_filter.yml index ea97c2530f..f375bb559a 100644 --- a/macros/remote_access_software_usage_exception_filter.yml +++ b/macros/remote_access_software_usage_exception_filter.yml @@ -1,9 +1,9 @@ definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest) -| lookup update=true asset_lookup_by_str asset as exception_asset OUTPUTNEW asset as asset_temp_field -| eval asset_temp_field = CASE(isnull(asset_temp_field),exception_asset,true(),asset_temp_field ) -| lookup remote_access_software_exceptions asset as asset_temp_field software as signature OUTPUT exception as rmm_exception, exception_date as rmm_exception_date, exception_ttl_days as rmm_exception_ttl_days, comment as rmm_exception_comment -| eval rmm_exception = mvdedup(mvfilter(NOT match(rmm_exception,"false"))), rmm_exception_date = mvdedup(mvfilter(NOT match(rmm_exception_date,"false"))), rmm_exception_ttl_days = mvdedup(mvfilter(NOT match(rmm_exception_ttl_days,"false"))), rmm_exception_comment = mvdedup(mvfilter(NOT match(rmm_exception_comment,"false"))), rmm_exception_end_date = relative_time(strptime(rmm_exception_date, "%Y-%m-%d"), "+"+rmm_exception_ttl_days+"d"), rmm_exception_end = CASE((now() >= rmm_exception_end_date),"TRUE",(now() < rmm_exception_end_date),"FALSE",(match(rmm_exception,"(?i)true") AND isnull(rmm_exception_ttl_days)),"UNLIMITED") -| search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED"))' -| fields - asset_temp_field,exception_asset + | lookup update=true asset_lookup_by_str asset as exception_asset OUTPUTNEW asset as asset_temp_field + | eval asset_temp_field = CASE(isnull(asset_temp_field),exception_asset,true(),asset_temp_field ) + | lookup remote_access_software_exceptions asset as asset_temp_field software as signature OUTPUT exception as rmm_exception, exception_date as rmm_exception_date, exception_ttl_days as rmm_exception_ttl_days, comment as rmm_exception_comment + | eval rmm_exception = mvdedup(mvfilter(NOT match(rmm_exception,"false"))), rmm_exception_date = mvdedup(mvfilter(NOT match(rmm_exception_date,"false"))), rmm_exception_ttl_days = mvdedup(mvfilter(NOT match(rmm_exception_ttl_days,"false"))), rmm_exception_comment = mvdedup(mvfilter(NOT match(rmm_exception_comment,"false"))), rmm_exception_end_date = relative_time(strptime(rmm_exception_date, "%Y-%m-%d"), "+"+rmm_exception_ttl_days+"d"), rmm_exception_end = CASE((now() >= rmm_exception_end_date),"TRUE",(now() < rmm_exception_end_date),"FALSE",(match(rmm_exception,"(?i)true") AND isnull(rmm_exception_ttl_days)),"UNLIMITED") + | search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED")) + | fields - asset_temp_field,exception_asset' description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv name: remote_access_software_usage_exception_filter \ No newline at end of file From a86ea6fa51a6ec72c69484fddbf3a50ad7ea7a26 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 25 Jul 2024 10:52:00 -0500 Subject: [PATCH 11/15] Manual Testing flag due to ES Lookups --- .../endpoint/detect_remote_access_software_usage_fileinfo.yml | 3 ++- .../endpoint/detect_remote_access_software_usage_process.yml | 1 + detections/network/detect_remote_access_software_usage_dns.yml | 1 + .../network/detect_remote_access_software_usage_traffic.yml | 1 + detections/web/detect_remote_access_software_usage_url.yml | 1 + 5 files changed, 6 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 7f0de37bc0..0bf7620e9a 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -65,7 +65,8 @@ tags: - process_name - process risk_score: 25 - security_domain: endpoint + security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index ffa5277821..833f731b24 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -79,6 +79,7 @@ tags: - Processes.parent_process_name risk_score: 25 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index e12efc189d..b79584b519 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -65,6 +65,7 @@ tags: - DNS.answer risk_score: 25 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index 34eab59c4a..b7407380f2 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -65,6 +65,7 @@ tags: - user risk_score: 25 security_domain: network + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index aeb5a714f6..c3cfab2438 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -72,6 +72,7 @@ tags: - Web.url_domain risk_score: 25 security_domain: network + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: From 469cff4ab4f96e8f7bcd5d3f1b1824d037f1440c Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 25 Jul 2024 11:16:08 -0500 Subject: [PATCH 12/15] Missed one. --- detections/endpoint/detect_remote_access_software_usage_file.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index 10e76ff991..7bd72c130e 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -74,6 +74,7 @@ tags: - Filesystem.file_name risk_score: 25 security_domain: endpoint + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: From 3b6801f026c1ceab53b10d911f583697514debaf Mon Sep 17 00:00:00 2001 From: ljstella Date: Fri, 26 Jul 2024 10:45:32 -0500 Subject: [PATCH 13/15] Datestamped lookup --- lookups/remote_access_software.yml | 4 ++-- ...access_software.csv => remote_access_software20240726.csv} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename lookups/{remote_access_software.csv => remote_access_software20240726.csv} (100%) diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml index a9f72acf2a..e0b7174e23 100644 --- a/lookups/remote_access_software.yml +++ b/lookups/remote_access_software.yml @@ -1,8 +1,8 @@ description: A list of Remote Access Software -filename: remote_access_software.csv +filename: remote_access_software20240726.csv name: remote_access_software default_match: 'false' match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo) min_matches: 1 max_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +case_sensitive_match: 'false' diff --git a/lookups/remote_access_software.csv b/lookups/remote_access_software20240726.csv similarity index 100% rename from lookups/remote_access_software.csv rename to lookups/remote_access_software20240726.csv From f1a79b1d5029ddc1b14678b7c137478e9ca5a12c Mon Sep 17 00:00:00 2001 From: ljstella Date: Fri, 26 Jul 2024 11:57:09 -0500 Subject: [PATCH 14/15] Converting to KVstore for exceptions --- lookups/remote_access_software_exceptions.csv | 5 ----- lookups/remote_access_software_exceptions.yml | 8 ++------ 2 files changed, 2 insertions(+), 11 deletions(-) delete mode 100644 lookups/remote_access_software_exceptions.csv diff --git a/lookups/remote_access_software_exceptions.csv b/lookups/remote_access_software_exceptions.csv deleted file mode 100644 index 561df22d92..0000000000 --- a/lookups/remote_access_software_exceptions.csv +++ /dev/null @@ -1,5 +0,0 @@ -asset,software,exception_date,exception_ttl_days,exception,comment -example_asset,Example_RMM_with_expiration,2024-01-01,30,TRUE,Example to show usage for a temporary exception for a single asset -example_asset_2,Example_RMM_without_expiration,2024-01-01,,TRUE,Example to show usage for a permanent exception for a single asset -example_asset_*,Example_RMM_wildcard_1,2024-01-01,,TRUE,Example to show usage for a permanent exception for a wildcard asset match -*,Example_RMM_wildcard_2,2024-01-01,,TRUE,Example to show usage for a permanent exception for all detections/assets \ No newline at end of file diff --git a/lookups/remote_access_software_exceptions.yml b/lookups/remote_access_software_exceptions.yml index 193fc224c1..c59a12a474 100644 --- a/lookups/remote_access_software_exceptions.yml +++ b/lookups/remote_access_software_exceptions.yml @@ -1,8 +1,4 @@ description: A list used to provide global exceptions to remote access monitoring content. -filename: remote_access_software_exceptions.csv +collection: remote_access_software_exceptions name: remote_access_software_exceptions -default_match: 'false' -match_type: WILDCARD(asset) -min_matches: 1 -max_matches: 1 -case_sensitive_match: 'false' \ No newline at end of file +fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment From a980709e4b77a0f1b869814507b8af35bd76edba Mon Sep 17 00:00:00 2001 From: ljstella Date: Fri, 26 Jul 2024 14:11:24 -0500 Subject: [PATCH 15/15] Modified macro name for clarity, updated how to implements with details --- .../endpoint/detect_remote_access_software_usage_file.yml | 7 +++++-- .../detect_remote_access_software_usage_fileinfo.yml | 6 ++++-- .../detect_remote_access_software_usage_process.yml | 7 +++++-- .../network/detect_remote_access_software_usage_dns.yml | 7 +++++-- .../detect_remote_access_software_usage_traffic.yml | 7 +++++-- detections/web/detect_remote_access_software_usage_url.yml | 7 +++++-- ...ter.yml => remote_access_software_usage_exceptions.yml} | 2 +- 7 files changed, 30 insertions(+), 13 deletions(-) rename macros/{remote_access_software_usage_exception_filter.yml => remote_access_software_usage_exceptions.yml} (96%) diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index da53d0293d..aaf1b8c515 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count, min(_time) as firstTim | `security_content_ctime(lastTime)` | `drop_dm_object_name(Filesystem)` | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE - | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_file_filter`' + | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_file_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -29,7 +29,10 @@ how_to_implement: The detection is based on data that originates from Endpoint D the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Filesystem` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) - to normalize the field names and speed up the data modeling process. + to normalize the field names and speed up the data modeling process. The "exceptions" + macro leverages both an Assets and Identities lookup, as well as a KVStore collection + called "remote_software_exceptions" that lets you track and maintain device-based + exceptions for this set of detections. known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 143cdc3afe..61e05f0745 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -20,10 +20,12 @@ search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) a lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name, process_name, process | lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category - | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_fileinfo_filter`' + | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_fileinfo_filter`' how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being - ingested into Splunk. + ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities + lookup, as well as a KVStore collection named "remote_software_exceptions" + that lets you track and maintain device-based exceptions for this set of detections. known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 0fd38af38b..0ce8bcbe32 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -23,7 +23,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime Processes.process_name Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference - as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_process_filter`' + as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -32,7 +32,10 @@ how_to_implement: The detection is based on data that originates from Endpoint D be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. + names and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index 1ea5e0b360..a48285b7ee 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -13,12 +13,15 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, - category | eval dest = query | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_dns_filter`' + category | eval dest = query | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_dns_filter`' how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information - Model (CIM) to normalize the field names and speed up the data modeling process. + Model (CIM) to normalize the field names and speed up the data modeling process. The + "exceptions" macro leverages both an Assets and Identities lookup, + as well as a KVStore collection called "remote_software_exceptions" that lets + you track and maintain device-based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index b7407380f2..a5dcf1b690 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -20,11 +20,14 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | lookup remote_access_software remote_appid AS app OUTPUT isutility, description - as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_traffic_filter`' + as signature, comment_reference as desc, category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_traffic_filter`' how_to_implement: The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. + names and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index c3cfab2438..9e20cc85a2 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -20,12 +20,15 @@ search: '| tstats count min(_time) as firstTime max(_time) as lastTime latest(We Web.src Web.category Web.url_domain | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("Web")` | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, - category | search isutility = True | `remote_access_software_usage_exception_filter` | `detect_remote_access_software_usage_url_filter`' + category | search isutility = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_url_filter`' how_to_implement: The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names - and speed up the data modeling process. + and speed up the data modeling process. The "exceptions" macro leverages + both an Assets and Identities lookup, as well as a KVStore collection called + "remote_software_exceptions" that lets you track and maintain device- + based exceptions for this set of detections. known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. diff --git a/macros/remote_access_software_usage_exception_filter.yml b/macros/remote_access_software_usage_exceptions.yml similarity index 96% rename from macros/remote_access_software_usage_exception_filter.yml rename to macros/remote_access_software_usage_exceptions.yml index f375bb559a..445565f594 100644 --- a/macros/remote_access_software_usage_exception_filter.yml +++ b/macros/remote_access_software_usage_exceptions.yml @@ -6,4 +6,4 @@ definition: 'eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest | search NOT (rmm_exception = TRUE AND rmm_exception_end IN ("FALSE","UNLIMITED")) | fields - asset_temp_field,exception_asset' description: Macro used with remote access monitoring content to define exception lookup and usage. Returns filtered results based on contents of remote_access_software_usage_exception.csv -name: remote_access_software_usage_exception_filter \ No newline at end of file +name: remote_access_software_usage_exceptions \ No newline at end of file